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INTRODUCTION 


This  report  is  the  second  of  two  documents  prepared  in  fulfillment  of 
the.  Air  Force  contract  for  the  update  of  MIL-F-9490D,  the  general  specifica¬ 
tion  for  the  design,  test  and  installation  of  flight  control  systems  for 
piloted  aircraft. 

The  objective  of  this  contract  effort  was  to  incorporate,  through 
an  amendment  to  the  specification  and  supporting  user  information,  up-to-date 
requirements  and  information  necessary  for  more  efficient  system  acquisition. 

This  report  provides  User  Guide  information  and  substantiating  background 
material  in  support  of  the  first  document.  Amendment  1  to  MIL-F-9490D. 

MIL-F-9490D  is  scheduled  to  be  converted  into  MIL-Prime-SPEC  format 
in  1982.  However,  results  of  a  validation  orogram  conducted  under  contract 
by  Northrop  Corporation  with  Lockheed-Georgia  Company  as  subcontractor  and 
the  release  of  pertinent  new  data  have  indicated  that  an  updated  amendment 
would  aid  in  the  preparation  of  the  revision  and  increase  the  usefulness  of 
the  specification  until  the  new  revision  is  available. 
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SCOPE 


In  thie  program,  only  existing  flight  control  system  data  was  to  be 
used  in  the  substantiation  of  new  specification  requirements.  Recommenda¬ 
tions  and  background  information  were  to  be  based  on  existing  data  and 
require  no  additional  study  and  analysis  programs. 

Because  of  the  short  duration  of  the  contract,  it  was  necessary  to 
identify  and  limit  the  potential  areas  for  revision  or  discussion  early; 
only  areas  of  significant  impact  were  to  be  considered.  The  following  is  a 
list  of  the  areas  identified  in  coordination  with  the  Air  Force  Update  Panel. 

a.  'Jigital  flight  controls  requirements  relative  to  redundancy  manage¬ 
ment,  data  transmission,  microprocessor  applications,  and  software 
verification/ validation. 

b.  Fly-by-wire  controls  requirements  relative  to  electrical  design, 
signal  transmission,  actuation  failure  management,  and  immunity 
to  associated  subsystem  failures. 

c.  Self-test  capability  requirements  versus  complexity,  confidence 
level,  and  preflight  test  duration. 

d.  Cockpit  controls/displays  design  requirements  to  accommodate  high-g 
cockpit  geometry  constraints  and  integrated  displays. 

e.  Actuation  requirements  to  reflect  the  application  of  high  performance 
rotary  mechanical  actuators  and  electromechanical  actuators  to 
essential  or  flight  phase  essential  functions. 

f.  Controls/structure  interaction  and  integration  requirements  relative 
to  analysis  and  test  verification. 

g.  Simulation  requirements  relative  to  system  development  and  perfor¬ 
mance  verification  as  influenced  by  type  of  aircraft  and  flight 
control  system  concept. 

h.  Compatibility  between  the  update  amendment  and  the  new  revision  of 
the  flying  qualities  specification,  MIL-F-8785C. 

Following  a  literature  search  and  meetings  with  members  of  industry,  the 
resulting  data  were  catalogued  according  to  the  key  areas.  Subsequently,  the 
specifications  and  assimilated  data  were  reviewed  and  recommended  amendments 
and  discussions  were  prepared. 
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SUMMARY  of  results 


In  the  preparation  of  this  report  it  became  more  apparent  than  ever  that 
flight  control  system  design  requires  a  multi-disciplinary  approach  incorporat¬ 
ing  various  aspects  of  electrical  and  mechanical  engineering  and  the  system, 
computer,  and  management  sciences.  As  a  result  there  is  a  significant  amount 
of  overlapping  and  intertwining  of  various  requirement  areas. 

The  state  of  the  art  has  advanced  rapidly  in  the  last  five  years,  particularly 
in  the  area  of  electronics  for  digital  flight  controls.  This  report  attempts 
to  accommodate  the  current  state  of  the  art  while  providing  for  the  implementation 
of  future  advances. 

The  bulk  of  this  report  addresses  the  interrelated  topics  of  digital  flight 
controls,  fly-by-wire  controls,  and  self  test  and  monitoring.  These  topics 
are  addressed  in  many  requirement  areas.  In  addition  to  being  addressed  in  the 
obvious  areas  of  system  test  and  monitoring  and  electrical  signal  computation 
and  transmission,  they  are  also  referred  to  in  the  redundancy,  reliability, 
survivability,  invulnerability,  and  maintenance  requirements. 

Of  particular  note  are  the  additions  of  a  redundancy  management  requirement 
and  discussion,  which  were  absent  in  the  D  revision,  and  the  integration  of 
software  requirements  for  FCS  design  and  documentation  into  the  specification. 

Where  the  D  revision  gave  little  consideration  to  FCS  software,  this  document 
attempts  to  coordinate  DOD  software  requirements  and  recommended  approaches  in 
the  specification  and  User  Guide  without  restricting  FCS  software  design.  Both 
of  these  modifications  have  been  made  with  the  goal  of  more  efficient  system 
acquisition  in  mind. 

Other  subjects  covered  in  this  report  include  updates  of  the  requirements 
for  stability,  Automatic  Flight  Control  Systems  (AFCS),  and  cockpit  controls/ 
displays,  and  modification  of  the  quality  assurance  and  actuation  requirements. 

In  addition,  an  effort  was  maie  to  make  MIL-F-9490D  compatible  with  the  latest 
revision  of  the  specification  for  flying  qualities  of  piloted  aircraft, 

MIL-F-8785C. 

In  preparing  the  amendments  for  the  AFCS  and  the  cockpit  controls/displays 
requirements.  Volumes  II  and  III  of  AFFDL-TR-77-7 ,  the  Nor throp/Lockheed-Georgia 
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validation  of  MIL-F-9490D,  were  the  main  reference  sources,  coupled  with  the 
current  experience  of  our  advisory  personnel. 

Amendments  to  the  duality  assurance  requirements  provide  a  thorough  and 
comprehensive  documentation  of  FCS  design  requirements,  in  particular  software 
documentation,  and  test  requirements  relative  to  system  development  and 
performance  verification  as  influenced  by  aircraft  type  and  FCS  concept. 

For  some  requirements  there  were  no  amendments.  However,  User  Guide 
discussions  were  expanded  in  an  effort  to  incorporate  recent  experiences  and 
current  thinking.  In  some  cases,  such  as  stability  margins  and  survivability, 
the  amendment  modifies  the  emphasis  of  the  requirement  rather  than  making  a 
quantitative  change.  In  others,  such  as  reliability  and  system  test  and 
monitoring,  amendments  were  felt  to  be  either  undesirable,  given  the  general¬ 
ity  of  the  specification,  or  out  of  scope,  given  the  size  of  the  contract 
effort. 
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2.  APPLICABLE  DOCUMENTS 


2.1:  Under  line  9,  "MIL-F-3541",  insert  "MIL-S-3950  Switches, 

Toggle,  Environmentally  Sealed,  General  Specification  for". 

Under  line  34,  “MIL-G-6641",  insert  "MIL-S-6743  Switches, 
Sensitive  and  Push,  Snap  Action,  Actuators  and  Enclosures,  General  Specifica¬ 
tion  for". 

Under  line  91,  "MIL-M-38510",  insert  "MIL-S-52779  Software 
Quality  Assurance  Requirements"  and  "MIL-C-81774  Control  Panel,  Aircraft, 
General  Requirement  for". 

Under  line  103,  "the  Selection  of",  insert  "MIL-STD-203 
Aircrew  Station  Controls  and  Displays  for  Fixed  Wing  Aircraft". 

Under  line  111,  "meats  for  Equipment"  insert  "MIL-STD-471A 
Maintainability  Verif ication/Demonstrction/Evaluation”. 

Under  line  113,  “and  Waivers"  Insert  "MIL-STD-483  Configura¬ 
tion  Management  Practices  for  Systems,  Equipment,  Munitions  and  Computer 
Programs"  and  "MIL-STD-490  Specification  Practices"  and  "MIL-STD-499  Engineer¬ 
ing  Management". 

Under  line  119,  "Equipment  and  Facilities"  insert  "MIL-STD- 
1521  Technical  Reviews  and  Audits  for  Systems,  Equipment,  and  Computer 
Programs " . 

Under  line  115,  "of",  insert  “MIL-STD-781  Reliability  Design 
Qualification  and  Production  Acceptance  Tests:  Exponential  Distribution" - 
Under  line  147,  "AFSC  DH  2-2"  insert  the  following  heading 
and  publication  title: 

"Air  Force  Regulations  Document 

AFR-800-14  Vol.  I:  Management  of  Computer  Resources  in  Systems 

Vol.II:  Acquisition  and  Support  Procedures  for  Computer 
Resources  in  Systems". 

2*2  Other  publications.  Line  20:  Change  the  heading  to  "FAA  Advisory 
Circulars". 
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d  in  the  discussions  of  the  appropriate  amended  requirements 
3.  and  4.  and  addition  of  definitions  in  Para.  6.6. 
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3.  REQUIREMENTS 


3.1.2  AFCS  performance  requirements.  Line  1:  Before  the  first  sentence 
insert  "Engage  and  disengage,  selection  logic,  and  functional  safety  criteria 
and  limits  for  each  AFCS  function  shall  be  established  and  specified  in  the 
detail  flight  control  specification." 

Discussion 


The  intent  of  this  amendment  is  to  highlight  the  need  for  AFCS  require¬ 
ments  to  be  tailored  to  each  particular  procurement  activity,  thereby  allowing 
flexibility  and  freedom  in  AFCS  design. 

3. 1.2. 2  Heading  hold.  Line  4:  Delete  the  last  sentence  and  substitute 
"When  heading  hold  is  engaged,  the  aircraft  shall  roll  towards  wings  level. 

The  reference  heading  shall  be  that  heading  that  exists  when  the  aircraft 
passes  through  a  roll  attitude  that  is  wings  level  plus  or  minus  a  tolerance." 

Discussion 


It  may  be  arguable  that  a  heading  hold  accuracy  of  -K).5  degrees  does  not 
appreciably  enhance  mission  effectiveness  or  aircraft  operational  efficiency 
over  an  accuracy  of  +1.0  degree,  for  the  heading  hold  mode.  Since,  however, 
the  state-of-the  art  now  allows  realization  of  the  more  stringent  requirement 
without  undue  penalty  in  cost,  the  requirement  is  considered  valid. 

The  5  degree  RMS  heading  deviation  requirement  for  operation  in  light 
tur’  ulence  is  desirable.  This  prevents  design  of  an  easily  saturable  mode 
while  not  restricting  the  functional  design  of  the  overall  AFCS,  reference  1. 
If  a  flight  controller  is  used,  when  the  controller  is  returned  to  detent, 
the  aircraft  shall  roll  towards  wings  level;  the  reference  heading  shall  be 
that  heading  that  exists  when  the  aircraft  passes  through  a  roll  attitude 
that  is  wings  level  plus  or  minus  a  tolerance. 


The  requirement  states  that  heading  hold  shall  automatically  engage  as 
the  controller  is  returned  to  the  detent.  The  use  of  the  word  "as"  makes 
this  confusing.  The  word  "when"  is  proper  in  this  case.  A  majority  of  the 
aircraft  use  the  detent  position  as  the  logic  for  going  to  the  heading  hold 
mode,  reference  1. 

For  initial  engagement  of  heading  hold,  or  subsequent  return  to  heading 
hold  from  control  stick  (wheel)  steering  or  flight  controller  commanded  bank 
angle,  the  selection  of  the  reference  heading  is  not  made  until  two  criteria 
are  satisfied: 

1)  heading  hold  is  selected,  and 

2)  the  roll  attitude  is  approximately  wings  level. 

This  dual  criterion  ensures  that  the  aircraft  will  not  be  forced  to  make 
an  appreciable  turn  in  the  opposite  direction  in  order  to  capture  a  heading 
that  existed  while  the  aircraft  was  in  a  turn  and  heading  hold  yras  engaged. 

3. 1.2. 3  Heading  select.  Line  7:  After  the  fourth  sentence,  insert  "Entry 
into  and  exit  from  the  turn  shall  be  smooth  and  rapid." 

Discussion 

The  imposition  of  limits  on  roll  rate  and  roll  acceleration  when  maneuvering 
to  the  new  heading  establishes  an  upper  limit  for  the  rates  and  accelerations 
but  does  not  address  a  minimum  acceptable.  The  requirement  for  smooth  and 
rapid  assures  that  minimum  rates,  as  well  as  maximum,  will  be  acceptable. 

The  roll  rate  and  acceleration  upper  limits  are  specified  to  preclude 
an  overly  rapid  response.  The  requirement  for  smooth  and  rapid  roll-in  and 
roll-out  of  the  turn  is  stated  to  ensure  that  the  response  is  not  unduly 
sluggish,  reference  1. 

3. 1.2. 4  Lateral  acceleration  and  sideslip  limits.  Line  1:  Delete  the  first 
sentence  and  substitute  "Except  for  flight  phases  using  direct  side  force 
control  or  during  which  sideslip  is  deliberately  induced,  e.g.,  forward  slip 
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to  a  landing,  the  following  performance  shall  be  provided  when  any  lateral- 
directional  AFCS  function  is  engaged." 

Discussion 


Deliberately  induced  sideslip  maneuvers,  such  as  those  which  might  be 
used  during  coupled  autoland  modes,  are  excluded  from  this  requirement. 

The  acceleration  and  sideslip  limits  as  previously  defined  did  not  account 
for  deliberate  sideslip  maneuvers.  Autoland  implementations  and  the  advent 
of  control-configured  vehicles  require  that  these  limits  not  be  applied  during 
deliberate  side-slip  or  side-force  maneuvers. 

3.1. 2.4.1  Coordination  in  steady  banked  turns.  Line  1:  Delete  the  first 
sentence  and  substitute  "The  incremental  sideslip  angle  shall  not  exceed 

2  degrees  from  the  trimmed  value,  and  lateral  acceleration  shall  not  exceed 
0.03g  while  at  steady  bank  angles  up  to  the  maneuver  bank  angle  limit  reached 
during  normal  maneuvers  with  the  AFCS  engaged." 

3. 1.2. 4. 2  Lateral  acceleration  limits,  rolling.  Line  2:  Delete  "aircraft 
with"  and  substitute  "flight  condition  with  aircraft". 

line  3:  Delete  "aircraft  with"  and  substitute  "flight 
condition  with  aircraft". 

line  4:  Delete  "aircraft  with"  and  si  .  itute  "flight 
condition  with  aircraft". 

Discussion 


This  change  recognizes  that  an  aircraft's  roll  rate  capability  will  vary 
within  the  aircraft's  flight  envelope  and  as  roll  rate  capability  varies  so 
will  the  required  lateral  acceleration  limits.  For  example,  if  an  aircraft 
with  a  90  deg/sec  maximum  roll  rate  capability  can  only  roll  at  30  deg/sec  in 
some  portion  of  the  envelope,  then  at  that  condition,  the  tolerance  cL^uld  be 
40. Ig  not  +0.5g. 
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3. 1.2. 4. 3  Coordination  in  straight  and  level  flight.  Line  Is  Delete  the 


first  sentence  and  substitute  "The  accuracy  while  the  aircraft  is  in  straight 
and  level  flight  shall  be  maintained  with  an  incremental  sideslip  angle  of 
+1  degree  from  the  trimmed  value  or  a  lateral  acceleration  of  +0.02g  at  the 
c.g.,  whichever  is  lower." 

Discussion 


~n  order  to  account  for  steady-state  trimmed  sideslip  angles  which  are 
required  to  support  vehicle  and  store  asymmetries,  the  requirement  has  been 
changed  from  absolute  to  incremental  values  of  sideslip  and  lateral  acceleration. 

Vehicle  asymmetries,  especially  those  caused  by  asymmetric  stores,  will 
require  a  steady-state  sideslip  angle  to  balance  the  unsymmetrical  aerodynamic 
forces.  Non-zero  bank  angles  may  also  be  required  to  support  steady-state 
trim.  Under  these  conditions  it  is  necessary  to  replace  the  absolute  sideslip 
angle  restriction  with  incremental  sideslip  from  unaccelerated  flight  reference 
sideslip  values. 

3. 1.2. 6  Mach  hold.  Line  1:  Before  the  first  sentence,  insert  "The  re¬ 
quirements  of  this  paragraph  shall  be  met  in  straight,  steady  flight  including 
climb  or  descent." 

Line  7:  After  the  last  sentence,  add  "Adjustment 
capability  of  at  least  +0.01  Mach  shall  be  available  to  allow  the  pilot  to 
vary  the  reference  Mach  number  around  the  engaged  Mach  number." 

Discussion 


This  requirement  is  applicable  to  a  Mach  hold  moae  using  either  the 
autopilot  pitch  axis  or  an  automatic  throttle  system.  The  RFP  and  the  FCS 
specification  should  define  which  1b  to  be  used.  Experience,  on  installing 
automatic  throttle  systems  on  the  QB-47,  C-141,  and  C-5A  has  shown  that  some 
adjustment  capability  must  be  made  available  for  the  pilot. 
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It  is  very  difficult  to  engage  the  mode  at  the  control  airspeed  reauired 
in  adverse  weather.  ARINC  Characteristic  No.  558  (Air  Transport  Automatic 
Throttle  System)  indicates  a  full  range  of  adjustment  for  their  system, 
reference  1. 

The  basic  purpose  of  the  Mach  hold  mode  is  to  provide  a  Mach  hold 
capability  in  "straight  and  level"  cruise  flight  where  optimum  range  or  time 
will  result,  or  in  climb  out  where  the  best  rate  or  angle  of  climb  Mach  will 
be  maintained.  The  requirement  is  applicable  to  a  Mach  hold  mode  using 
either  the  autopilot  pitch  axis  or  an  automatic  throttle  system.  This  makes 
possible  two-degrees-of-f reedom  control,  simultaneously  selecting  two  control 
modes,  e.g. ,  altitude  control  through  pitch  and  Mach  through  autothrottle. 
This  enables  Mach  hold  to  be  engaged  during  maneuvering  flight  where  the 
system  is  unable  to  control  Mach  within  the  requirements,  or  under  conditions 
where  the  system  is  able  to  control  Mach  but  at  the  expense  of  altitude. 

For  example,  for  /stem  which  controls  Mach  by  pitch,  if  a  Mach  upset 
requires  a  descent  in  order  to  maintain  Mach,  an  ever  increasing  rate  of 
descent  will  occur  as  the  aircraft  descends  to  lower  altitude.  The  pilot 
is  responsible  for  maintaining  safe  flight  under  these  or  similar  conditions. 

3. 1.2. 7  Airspeed  hold.  Line  Is  Before  the  first  sentence,  insert  "The 
requirements  of  this  paragraph  shall  be  met  in  straight,  steady  flight 
including  climb  or  descent." 

Line  6:  After  the  last  sentence,  add  "Adjustment 
capability  of  at  least  +H)  knots  shall  be  available  to  allow  the  pilot  to 
vary  the  reference  airspeed  around  the  engaged  airspeed." 

Discussion 

This  requirement  is  applicable  to  an  airspeed  hold  mode  using  either  the 
autopilot  pitch  axis  or  an  automatic  throttle  system.  The  RFP  and  the  FCS 
specification  should  define  which  is  to  be  used.  Experience  on  installing 
automatic  throttle  systems  on  the  QB-47,  C-141,  and  C-5A  has  shown  that  some 
adjustment  capability  must  be  available  for  the  pilot.  It  is  very  difficult 
to  engage  the  mode  at  the  control  airspeed  required  in  adverse  weather. 
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ARINC  Characteristic  No.  558  (Air  Transport  Automatic  Throttle  System)  indi¬ 
cates  a  full  range  of  adjustment  for  their  system,  reference  1. 

3. 1.2. 8  Automatic  navigation 

Discussion 

This  paragraph  covers  only  general  requirements  for  VOR  and  TACAN 
navigation  modes  and  definition  of  terms. 

Specific  requirements  for  inertial  navigation,  area  navigation,  or 
vertical  navigation  control  are  not  included  in  this  specification  since 
these  requirements  will  depend  on  the  aircraft  mission.  Normally  these 
requirements  will  be  included  in  the  procurement  detailed  specification,  when 
such  functions  are  required. 

Requirements  for  a  microwave  landing  system  (MLS)  approach  mode  have  not 
been  included  at  this  time  because  of  the  lack  of  definitive  information 
on  MLS  ground  facilities  and  contingent  approach  procedures. 

3. 1.2. 8.1  VOR/TACAN 


Discussion 

The  VOR  and  TACAN  overshoot  and  tracking  accuracy  requirements  are 
stated  in  terms  of  angular  error  with  respect  to  the  selected  radial.  Thus 
the  allowable  error  automatically  decreases  with  decreasing  distance  to  the 
station.  The  TACAN  requirements  are  more  stringent  than  those  for  VOR, 
reflecting  the  improved  performance  that  should  be  achieved  through  use  of  the 
TACAN  range  information.  The  tracking  accuracy  requirements  are  stated  in 
terms  of  RMS  errors  over  a  defined  distance  from  the  station  that  is  far 
enough  removed  to  be  out  of  the  geometric  sensitive  area.  All  distances  are 
given  in  terms  of  nautical  miles  to  be  compatible  with  Air  Traffic  Control 
data  format.  The  overstation  requirements  allow  for  resetting  the  capture 
logic  if  it  is  found  to  be  desirable  by  the  contractor. 
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3. 1.2. 8. 1.1  VOR  capture  and  tracking.  Delete  the  entire  paragraph  and 
substitute  the  following: 

"Overshoot  shall  not  exceed  1-1/3  degrees  (20pa)  beyond  the  desired  VOR 
radial  beam  center  in  a  no-wind  condition  for  captures  50  nautical  miles  or 
more  from  the  station  with  intercept  angles  up  to  45  degrees.  Following 
capture  at  50  nautical  miles  or  more,  the  aircraft  shall  remain  within  a 
root-mean-square  (RMS)  1-1/3  degrees  (20pa)  from  the  VOR  radial  beam  center. 
RMS  tracking  error  shall  be  measured  over  a  5  minute  period  between  50  and  10 
nautical  miles  from  the  station  or  averaged  over  the  nominal  aircraft  flight 
time  between  the  same  distance  limits,  whichever  time  is  shorter." 

Discussion 


The  use  of  the  term  "average  error"  is  objectionable  since  large 
“hunting"  errors  could  occur  to  right  and  left  of  the  beam  and  still  result 
in  a  small  "average"  error,  reference  1. 

3. 1.2. 8. 1.2  TACAN  capture  and  tracking.  Delete  the  entire  paragraph  and 
substitute  the  following: 

"Overshoot  shall  not  exceed  0.5  degrees  beyond  the  desired  TACAN  radial 
beam  center  in  a  no-wind  condition  for  captures  100  nautical  miles  or  more 
from  the  station  with  intercept  angles  up  to  45  degrees.  Following  capture  at 
100  nautical  miles  or  more,  the  aircraft  shall  remain  within  a  root-mean- 
square  (RMS)  0.5  degrees  from  the  TACAN  radial  beam  center.  RMS  tracking 
error  shall  be  measured  over  a  10  minute  period  between  100  and  10  nautical 
miles  from  the  station  or  averaged  over  the  nominal  aircraft  flight  time 
between  the,  same  distance  limits,  whichever  time  is  shorter.  The  required  0.3 
damping  ratio  shall  be  exhibited  for  continuous  tracking  between  100  and  10 
nautical  miles  from  the  station." 

Discussion 


The  TACAN  capture  and  tracking  requirements  were  translated  to  angular 
measure  and  the  required  tracking  accuracy  defined.  The  requirement,  as 
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compared  with  VOR  cracking  accuracy  requirements,  reflects  the  improved 
accuracy  chat  can  be  achieved  through  use  of  the  range  information. 


3. 1.2. 8. 1.3  Overstation.  Line  3:  At  the  end  of  the  first  sentence,  remove 
the  period  and  insert  "in  a  no-wind  condition." 

Discussion 


The  overstation  mode  requirements  for  VOR  and  TACAN  defined  in  this 
paragraph  include  provisions  for  resetting  the  beam  capture  logic.  One  of 
the  more  common  complaints  from  military  and  commercial  pilots  relates  to 
limited  capture  performance  for  the  outbound  radial.  Generally  these  com¬ 
plaints  have  occurred  because  the  ARCS  remains  in  a  tracking  mode  during 
station  overflight.  Consequently,  outbound  captures  are  hampered  by  extremely 
limited  bank  angles,  etc. ,  designed  to  ensure  good  tracking  performance. 

Future  configurations  should  provide  for  more  favorable  outbound  capture 
performance  by  development  of  more  comprehensive  control  laws  or  providing 
capture  logic  reset  as  a  function  of  station  overflight. 

3. 1.2. 9  Automatic  instrument  low  approach  system.  Line  1:  Change  the 

title  to  "Automatic  approach  system  (1LS)." 

Discussion 


This  change  denotes  that  the  3. 1.2. 9  subparagrapns  are  applicable  to 
only  ILS  systems. 

3. 1.2. 9.1  Localizer  mode.  Delete  the  entire  paragraph  and  substitute  the 
following : 

"The  AFCS  shall  maintain  a  constant  heading  until  the  aircraft  is  within 
+130  microamperes  of  the  beam  center,  at  which  point  the  aircraft  will  be 
maneuvered  to  capture  the  localizer  beam.  Heading  or  roll  rate  and  attitude 
commands  shall  be  limited  to  provide  a  smooth  capture  and  subsequent  tracking 
of  the  localizer  beam.  The  initial  overshoot  during  capture  shall  not 


24 


exceed  75  microamperes  and  the  system  shall  exhibit  a  damping  ratio  of  at 
least  0.1  with  interceot  angles  of  45  degrees  at  8  miles  from  runway  threshold 
and  increasing  linearly  to  60  degrees  at  18  miles  from  runway  threshold  in  a 
no-wind  condition.  For  intercept  angles  less  than  45  degrees,  the  FCS  shall 
always  maneuver  the  aircraft  toward  the  course  centerline.  There  shall  be  no 
movement  away  from  the  runway  threshold  during  capture.  The  system  shall  be 
considered  to  be  in  the  tracking  mode  whenever  the  following  conditions  are 
satisfied:  Localizer  beam  error  is  1  degree  (75/ia)  or  less,  localizer  beam 
rate  is  0.025deg/sec  (2jua/sec)  or  less.  During  beam  tracking  the  system 
shall  exhibit  a  damping  ratio  of  0.2  or  greater.  From  the  outer  marker  to 
an  altitude  of  300  feet  above  runway  elevation  on  the  approach  path,  the  AFCS 
shall  maintain  the  aircraft  2-sigma  position  within  0.47  degrees  (35jia)  of 
the  localizer  beam  center.  On  the  approach  path  from  300  feet  above 
runway  elevation  to  the  decision  altitude  of  100  feet,  the  AFCS  shall  maintain 
the  aircraft  2  sigma  position  within  0.33  degrees  (25/ia).  The  performance 
during  the  tracking  mode  shall  be  free  of  sustained  oscillations.  These 
criteria  shall  be  based  on  a  Category  II  localizer  ground  installation." 

Discussion 

It  is  felt  that  the  requirements  of  this  paragraph  are  too  stringent  and 
do  not  provide  maximum  designer  freedom  while  retaining  required  flight  safety. 

The  overshoot  requirement  of  0.5  degrees  (37.5  microamperes)  radial  error 
is  very  tight  and  could  require  a  special  design  such  as  a  variable  gain 
system  for  a  requirement  that  is  not  critical.  The  point  at  which  the  beam 
capture  is  initiated  should  be  specified.  It  is  felt  that  150  microamperes 
is  the  best  point  to  start  beam  capture.  This  requirement  states  that  a 
damping  ratio  of  0.2  or  greater  shall  be  exhibited  during  the  tracking  mode  at 
a  distance  of  40,000  feet  from  the  transmitter.  This  does  not  give  the 
required  damping  before  and  after  the  40,000  foot  point.  This  damping  ratio 
should  be  required  throughout  the  tracking  mode.  The  tracking  accuracy  of 
the  requirement  is  more  stringent  than  the  FAA  Category  II  approach  re¬ 
quirement  of  Advisory  Circular  AC  120-29.  It  is  felt  that  the  FAA  requirements 
should  be  used  since  these  requirements  are  considered  applicable  to  military 
aircraft,  reference  1. 
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3. 1.2. 9. 2  Glide  slope  mode.  Line  5:  After  "satisfied"  insert  "the  first". 

Line  7:  Delete  "from  below  the  beam  in  level  flight  at  an 
altitude  greater  than  800  feet  above  the  glide  slope  transmitter  datum 
altitude  in  a  no-wind  condition."  and  substitute  "in  a  no-wind  condition  from 
above  or  below  the  beam  under  normal  approach  configurations, " 

Line  9:  Delete  “0.085"  and  substitute  "0.20”. 

Line  10:  Delete  "for  the  conditions  defined."  and  substitute 
"and  the  transient  errors  encountered  during  the  tracking  mode  shall  not 
exceed  0.16  degrees  (35ya)  of  radial  error  from  glide  slope  beam  center." 

Line  10:  Delete  “On"  and  substitute  "When  using”. 

Line  11:  Delete  “(including  10,000  foot  runway)  as  defined 
in  ICAO  Annex  10". 

Line  13:  Delete  "opposition"  and  substitute  "position". 


Discuss-'  on 

It  is  felt  that  this  is  a  good  requirement,  but  some  changes  are  required. 
Capture  performance  requirements  are  only  given  for  captures  from  below 
the  beam.  At  the  present  time,  more  and  more  approaches  are  being  made  at  a 
steeper  angle  due  to  environmental  (noise)  considerations;  therefore,  the 
performance  requirements  for  capture  should  be  given  for  above  and  below  the 
beam.  This  requirement  also  limits  the  capture  performance  requirements  to 
an  altitude  greater  than  800  feet  above  the  glideslope  transmitter  datum 
altitude.  The  capture  requirements  should  be  met  at  any  point  of  capture. 

The  damping  ratio  requirement  of  0.085  or  greater  after  the  first  over¬ 
shoot  is  not  acceptable.  A  damping  ratio  this  low  would  be  just  as  bad  as 
neutral  stability  and  could  induce  P10  (pilot  induced  oscillation).  The  damp¬ 
ing  ratio  after  the  first  overshoot  should  be  similar  to  the  localizer  mode. 

The  transient  error  that  could  occur  during  beam  tracking  should  be 
covered  in  this  requirement.  The  transient  error  should  never  exceed  the 
error  allowed  for  the  first  overshoot. 
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The  2-sigma  tracking  requirements  of  0.16  degrees  (35pa)  or  within  12 
feet  of  beam  center  are  felt  to  be  reasonable.  This  tracking  accuracy  is  the 
some  as  that  required  in  Advisory  Circular  AC  120-29. 

3 . 1 . 2 . 9 . 3  Go-around  mode 

Discussion 


The  use  of  an  automatic  go-around  mode  would  depend  on  the  aircraft  and 
mission  requirements.  If  such  a  mode  is  required  then  this  requirement,  with 
the  provision  that  autopilot  steering  commands  are  displayed  on  the  flight 
director,  would  be  relevant  for  present  and  future  aircraft. 

3 . 1 . 2 . 9 . 3 . 2  Lateral-heading  AFCS  go-around  performance  standards. 

Line  3:  After  "planes"  insert  "defined  in  FAA  Advisory 
Circular  120-29". 

Discussion 

This  requirement  is  valid  for  present  and  future  aircraft  with  a  change. 
The  first  sentence  should  be  changed  to  include  reference  to  the  FAA  Advisory 
Circular  120-29  which  is  implied.  It-  should  be  noted  that  the  performance 
requirement  of  the  last  sentence  is  completely  dependent  on  pilot  reaction 
and  performance  and  is  not  an  operational  performance  requirement  on  the 
AFCS.  It  does  affect  the  system  design  of  the  automatic  go-around  mode 
in  the  area  of  failure  announcement  and  affect  of  failures  or  disengagement 
of  the  mode  on  the  aircraft  flight  path.  No  change  is  suggested  in  this  area. 

3. 1.2. 9. 3. 3  Minimum  go-around  altitude 


Discussion 


The  requirement  is  valid  for  present  and  future  aircraft  with  the 
understanding  that  it  assumes  that  all  aircraft  will  require  a  minimum  alti¬ 
tude  for  engaging  the  go-around  mode.  The  C-5A  and  C-141  flight  testing  has 
shown  that  minimum  altitude  for  these  aircraft  is  the  runway  altitude. 
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3.1.2.10  All  weather  landing  system.  Line  l:  Change  the  title  to  "Automatic 
landing  system." 


Line  1:  Delete  "all  weather"  and  substitute  "automatic". 

Line  4:  Delete  the  second  sentence  and  substitute  "Automatic 
landing  system  shall  be  designed  to  be  compatible  to  operations  in  Category 
III  weather  minimums  and  comply  with  the  following  landing  accuracies  and 
operational  requirements:" 

Line  15:  Delete  "(normally  used  during  ICAO  Category  Illb  or 
IIIc  visibility  conditions)". 

After  line  24,  add  the  following  paragraphs: 

"d.  Automatic  landing  system  malfunction  should  not  cause  significant  dis¬ 
placement  of  the  aircraft  from  its  approach  path,  including  altitude  loss,  or 
cause  any  action  of  the  flight  control  system  that  is  not  readily  apparent  to 
the  pilot,  either  by  control  movement  or  advisory  display.  Upon  system  dis¬ 
connection,  the  automatic  landing  system  shall  not  cause  any  out-of-trim 
condition  not  easily  controlled  by  the  pilot. 

e.  Means  should  be  provided  to  inform  the  pilot  continuously  of  the  mode  of 
operation  of  the  automatic  landing  system.  Indication  of  system  malfunction 
should  be  conspicuous  and  unmistakable.  Positive  indication  should  be  provided 
that  the  flare  has  been  initiated  at  the  minimum  normal  flare  engage  heights. 

f.  The  automatic  landing  system  design  shall  meet  the  criteria  for  approval 
of  Category  III  landing  weathe'  minimums  defined  in  paragraph  6.6." 

Discussion 


An  automatic  landing  system  (ALS)  includes  specifically  all  the  ele¬ 
ments  of  airborne  equipment  and  more  generally  includes  the  ground-basud 
equipment  ne  essary  for  completion  of  an  all-weather  landing.  All-weather 
landings  comprise  the  operations  and  procedures  required  to  conduct  approaches 
and  landings  during  Category  II  and  III  visibility  conditions  defined  by  the 
International  Civil  Aviation  Organization. 
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This  definition  states  that  an  ALS  includes  all  aircraft  equipment, 
ground  based  equipment,  operations,  and  procedures  over  some  of  which  the 
contractor  has  no  authority  or  control.  Since  this  specification  is  intended 
to  cover  the  design,  installation,  and  test  of  flight  control  systems  by 
establishing  general  performance,  design,  development,  and  quality  assurance 
requirements  for  the  flight  control  systems,  the  requirement  for  an  automatic 
landing  system  as  defined  is  believed  to  be  beyond  the  scope  of  this  specifi¬ 
cation.  The  majority  of  the  performance  requirements  stated  in  the  require¬ 
ments  however  are  pertinent  to  an  automatic  landing  mode.  It  is  recognized 
that  the  procuring  agency  has  the  need  to  exercise  its  prerogatives  for 
ground  and  flight  procedures  and  equipment  and  for  weather  minimums  for  which 
the  aircraft  should  be  cleared.  The  contractor  must  satisfy  the  requirements 
insofar  as  he  is  able  within  the  limitations  imposed  by  requirements  and 
equipment  over  which  he  has  no  control.  The  contractor  should  therefore  be 
responsible  for  installing  equipment  to  meet  specific  performance  requirements 
which  are  measurable  and  for  which  he  has  control. 


Requirement  3.1.2.10b  implies  that  rollout  guidance  should  be  designed  to 
accommodate  Category  Illb  and  111c  visibility  conditions.  This  requirement 
could  require  sophisticated  ground  equipment  to  be  installed  at  the  landing 
area.  The  type  of  ground  guidance  used  would  dictate  the  equipment  to  be 
installed  in  the  aircraft.  It  is  felt  that  this  is  not  feasible  since  each 
government  organization,  aircraft  manufacturer,  equipment  manufacturer,  and 
related  organization  would  have  different  approaches  on  proper  ground  guidance 
to  achieve  Category  Illb  and  IIIc  control.  In  addition,  it  is  believed 
that  there  are  no  commercial  or  military  airfields  that  have  ground  equip¬ 
ment  that  is  capable  of  guiding  an  aircraft  under  the  stated  weather  minima. 

This  requirement  should  require  equipment  installed  which  could  be 
used  in  meeting  the  Category  Ilia  Landing  Weather  Minima.  Any  further 
requirements  beyond  Category  Ilia  should  be  contained  in  the  RFP  with  an 
explanation  of  the  ground  equipment  to  be  used. 


3.1.2.10.1  All  weather  landing  performance  standards  -  variations  of  aircraft 


and airborne  equipment  configurations.  Line  1:  Change  the  title  to  "Auto- 
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made  landing  performance  standards  -  variations  of  aircraft  and  airborne 
equipment  configurations." 

Discussion 


This  requirement  is  valid  for  present  and  future  aircraft  except  for  the 
title  "All  weather  landing  system."  This  should  be  changed  to  "Automatic 
landing  system,"  See  the  evaluation  on  requirement  3.1.2.10,* 

3.1.2.10.2  Performance  standards  -  ground  based  equipment  variations.  Delete 
the  entire  paragraph  and  substitute  the  following: 

"Proof  of  compliance  with  performance  requirements  for  automatic  landing 
systems  shall  Include  the  effects  of  expected  variation  in  type  and  quality 
of  the  ground  based  equipment." 

Discussion 

This  requirement  includes  areas  that  should  not  be  included  in  a  flight 
control  system  specification,  such  as  touchdown  zone  lighting  and  taxi  zones. 
Only  flight  control  requirements  that  the  aircraft  manufacturer  is  responsible 
for  should  be  included  in  this  specification  to  insure  that  compliance  with 
requirements  can  be  demonstrated.  This  same  subject  is  discussed  in  the 
evaluation  of  requirement  3.1.2.10. 

This  requirement  should  include  the  expected  variation  of  the  ILS  beam 
that  should  be  considered  during  design  and  evaluation. 

3. 1.3.1  Redundancy 

Discussion 


In  support  of  the  redundancy  discussion  in  the  User  Guide,  formal  defi¬ 
nitions  of  the  terms  fail  operate,  fail  passive  and  fail  safe  have  been 
included  as  an  update  to  the  Definitions  paragraph  6.6. 

In  a  discussion  of  the  survivability  requirements  of  3.1.8,  the  topic 
of  dissimilar  back-up  systems  is  reviewed. 
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3.1.3. 1:  After  this  paragraph,  insert  the  following  as  a  new  paragraph: 

"3. 1.3.1. I  Redundancy  management.  In  the  design  of  a  redundant  flight  con¬ 
trol  system,  the  redundancy  management  approach  determined  by  the  contrac¬ 
tor  shall  be: 

a.  based  on  meeting  the  flight  safety  and  mission  reliability  require¬ 
ments  of  this  specification. 

b.  consistent  with  the  use  of  the  system  test  and  monitoring  provi¬ 
sions  of  requirements  3. 1.3.9  and  associated  subparagraphs. 

c.  validated  by  appropriate  analyses. 

d.  addressed  in  the  software  requirements  definition  when  applicable." 
Discussion 

With  the  utilization  of  redundant  channels  for  the  implementation  of 
active  control  technology  in  present  and  future  aircraft,  redundancy  manage¬ 
ment  has  become  a  major  flight  control  system  design  erea,  and  thus  needs  to 
be  addressed  by  this  specification.  Without  this  requirement  the  specifica¬ 
tion  is  deficient. 

As  shown  in  references  2  through  14,  numerous  flight  control  system  sped 
fications  and  studies  addressing  the  implementation  of  fly-by-wire  control 
systems  have  major  sections  addressing  redundancy  management.  Currently  the 
F-18A  uses  an  estimated  minimum  of  25%  of  its  software  for  redundancy  manage¬ 
ment. 

The  purpose  of  redundancy  management  is  to  provide  failure  transient 
protection  and  efficient,  effective  normal  operation,  while  maximizing  mis¬ 
sion  reliability  and  flight  safety. 

To  this  end,  redundancy  management  must  be  employed  at  various  levels 
within  the  flight  control  system  architecture  to  perform  such  tasks  as: 

1)  failure  detection 

2)  failure  isolation 

3)  system  reconfiguration 

4)  channel  recovery  update 

5)  cross  channel  data  transmission 

6)  cross  channel  synchronization  for  synchronous  computers 

7)  input  signal  management 


8)  actuator  management. 

In  performing  these  tasks,  in  particular  failure  detection  and  isola¬ 
tion,  the  redundancy  management  approach  will  influence  and  be  influenced  by 
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the  3. 1.3. 9  specification  requirement  and  the  inflight  monitoring  techniques 
discussed  in  this  document  and  the  MIL-F-9490D  User  Guide.  The  comprehen¬ 
siveness  of  any  redundancy  management  approach  will  be  based  on  its  utili¬ 
zation  o L  voter  planes  and  inline  (or  self  test)  monitoring.  It  has  been 
shown  that  for  long  missions,  systems  employing  interunit  selection  at  the 
LRU  level  can  be  more  reliable  than  systems  employing  one  higher  level  of 
redundancy  and  using  midvalue  signal  voting  as  the  o:  ly  means  of  fault 
detection  and  isolation.  Thus  application  of  advanced  redundancy  management 
techniques  to  meet  a  given  reliability  requirement  can  result  in  significant 
equipment  savings^.  Some  caveats  for  redundancy  management  are:  1)  for 
electrical  signal  computation  no  computer  shall  interfere  with  the  operation 
of  another,  and  2)  pilot  intervention  should  not  be  required  for  system 
reconfiguration  in  the  event  of  a  failure. 

In  the  implementation  of  redundancy  and  redundancy  management  methods  to 
satisfy  flight  safety  and  mission  reliability  requirements,  it  is  necessary 
that  the  design  address  not  only  what  is  required  for  the  flight  control 
system  per  se,  but  also  what  is  required  for  any  supporting  system  (e.g., 
mission  computer  and  air  data  system)  which  is  flight  safety  critical  or 
flight  phase  essential. 

The  success  criterion  by  which  a  redundancy  management  approach  is  typi¬ 
cally  measured  is  its  coverage.  Although  the  term  coverage  has  been  given 
slightly  different  interpretations  in  the  literature  available  today,  the  most 
encompassing  one  defines  coverage  as  the  conditional  probability  that,  gi-  in  a 
failure,  the  system  continues  to  perform  the  required  function. 

While  some  studies,  references  7,  9,  and  11,  have  specified  that  a 
probability  of  coverage  as  high  as  1.0  can  be  obtained  for  a  first  failure 
and  a  probability  of  .94  or  better  for  a  second  failure  in  order  to  achieve 
an  fcceptable  flight  safety  value,  in  practice  attempts  to  achieve  the 
required  flight  safety  goal  typically  utilize  lower  failure  coverages, 
references  2,  4,  5,  6,  and  15. 

The  critical  criteria  for  the  determination  of  acceptable  probability  of 
coverage  values  for  first  and  second  failures  are  the  mission  reliability  and 
flight  safety  requirements  of  paragraphs  3.1.6  and  3.1.7.  When  assured 
adequate  reliability  and  safety  other  influencing  factors  are  the  tradeoffs 
between  system  complexity,  weight  and  cost. 
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In  the  development  of  redundant  flight  control  systems  to  satisfy  the 
flight  safety  requirements,  there  have  been  as  many  different  approaches  as 
there  have  been  types  of  aircraft. 

The  DIGITAC  aircraft,  a  modified  A-7D  containing  dual  digital  computers, 
references  5  and  6,  is  designed  to  be  fail  safe  for  all  failures  and  fail 
cperation/f ail  safe  for  failures  in  the  computer  and  memory  units.  The 
fail  operation/fail  safe  capability  of  the  dual  computers  and  memories  was 
achieved  by  extensive  self  test;  and  the  fail  safe  function  of  the  servos 
and  sensors  was  made  possible  by  comparison  monitoring  of  dual  servos  and 
sensors  for  all  flight  critical  parameters.  Through  computer  monitoring,  the 
interfacing  units  were  fail  safe. 

Development  problems  uncovered  by  this  program  are  contributing  to  future 
designs.  One  example  is  the  problem  of  interaction  between  self-test  routines. 

In  one  instance,  a  power-supply  problem  caused  one  computer  to  fail.  An 
unforeseen  timing  situation  in  the  self-test  of  the  cross-computer  data  link 
caused  the.  good  computer  to  shut  itself  off.  This  problem  was  corrected. 

However,  its  existence  shows  that  these  kinds  of  interactions  must  be  studied 
very  carefully. 

The  F-8  Digital  Fly-by-Wire  system  has  three  primary  digital  channels. 

There  la  a  back  up  system  which  is  also  electronic^  The  critical  input  sensors 
are  triplex,  and  data  from  each  of  the  redundant  sensors  are  supplied  to  all 
three  computers.  Identical  signal-selection  programs  are  performed  in  each 
computer.  This  signal  selection  Identifies  and  removes  the  effects  of  failed 
sensors  and  produces  identical  input  signals  for  each  of  the  three  computers. 
These  Identical  inputs  are  used  by  the  computers  to  produce  three  control-surface 
command  outputs.  The  midvalue  of  the  three  commands  is  selected  by  three 
different  servo-control-elactronics  channels.  These  three  channels  drive  the 
three  sections  of  triplex  force-summed  secondary  actuators  which  in  turn 
command  the  primary  power  actuators.  The  selection  logic  in  the  analog  drive 
channels  will  identify  and  eliminate  a  failed  digital  channel  if  its  command 
signals  deviate  significantly  from  the  other  two.  The  system  will  continue 
operating  using  the  two  remaining  good  channels.  Many  of  the  faults  detected 
are  transient  and  the  system  has  the  capability  of  restarting  the  failed 
channel  and  returning  to  full  three-channel  operation.  If  the  fault  is 
permanent  so  that  only  two  channels  remain  and  they  do  not  agree,  the  system 
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reverts  to  a  triplex  direct  analog  coupling  between  the  pilot  commands  and 
the  servo  drives. 

The  YC-14  system  uses  a  triple-redundant  set  of  electronics  and  multiple 
aerodynamic  surfaces  to  achieve  fail  operational/fail  safe  performance.^ 

The  system  provides  automatic  signal  selection,  failure  detection,  failure 
isolation,  failure  warning,  and  failure  isolation  confirmation  during  flight- 
critical  operations.  The  input  signal  selection  guarantees  that  all  computers 
will  use  the  same  numbers  and  thus  produce  identical  outputs.  The  output  is 
selected  as  the  nidvalue  of  the  three  values.  The  system  continues  to 
operate  after  the  first  failure  by  taking  the  average  of  the  two  remaining 
systems.  When  the  two  remaining  systems  disagree,  they  are  both  disabled  and 
the  aircraft  is  flown  manually. 

For  the  quadruplex  analog  flight  control  system  of  the  F-16,  failure 
detection  and  isolation  performed  by  inflight  monitoring  consist  primarily  of: 

a)  middle-value  signal  selection  following  electrical  signal  computation 
and  FCC  servo  amplifier  failure  detection,  and 

b)  integrated  servo  actuator  (ISA)  failure  detection. 

The  ISA  failure  detection  incorporates  differential  pressure  sensing  of 
the  servovalves,  hydromechanical  failure  detection,  and  ISA  position  versus 
computer  model  position. 

The  F-16  is  no  less  than  one  fail  operate  overall  and  a  minimum  of  two 
fail  operate  if  one  failure  is  electrical. 

The  F/A-18A  flight  control  system  utilizes  quadruplex  digital  computation, 
direct  electrical  links,  and  a  mechanical  baci.-up  system  in  pi' eh  and  roll. 

The  leading  and  trailing  edge  flupa  and  horizontal/ rolling  tail  have  quad- 
redundant  servovalves,  and  the  rudders  and  aileron  surfaces  have  a  dual/dual 
elect*. j.eal  capability.  All  actuators  have  access  to  two  separate  hydraulic 
systems . 

The  digital  flight  control  computers  and  the  electrical  system  overall 
have  a  two  fail  operate  capability.  Hydromechanical.ly  the  system  has  at  least 
a  fail  operate  capability. 

For  the  performance  of  redundancy  management  the  F/A-18  inflight  monitoring 
is  very  comprehensive.  In  addition  to  thorough  computer  self-teat  the  system 
has  two  voting  planes.  Through  a  cross  channel  data  link  the  first  evaluates 
the  input  signals  to  the  flight  control  computers,  where  failed  signals  are 
ignored  and  the  remaining  good  signals  are  averaged. 
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Tne  second  conceptual  voting  plane  pertains  to  the  actuator  quad  coil 
drive  current  summing  concept.  To  evaluate  the  status  of  actuators  and  actu¬ 
ator  signals,  the  redundancy  management  employs:  differential  pressure  sensing 
to  evaluate  the  EHV;  cross  CAS  monitoring  to  evaluate  CAS  ram,  main  ram,  and 
input  signals;  and  a  current  monitor  to  check  servoamplif iers  and  EHV  coils. 

The  current  redundancy  approach  for  the  Advanced  Fighter  Technology 
Integration  program,  i.e.,  the  AFTI-F-16,  will  be  based  on  a  triplex  digital 
flight  control  system  which  provides  a  dual  fail  operate  capability.  The 
following  excerpts,  taken  from  reference  2,  are  an  overview  of  the  preliminary 
AFTI-F-16  redundancy  management. 

Previous  system  architectural  studies  have  indicated  that  optimum  failure 
survivability  and  failure  isolation  to  the  LRU  level  require  that  the  flight 
control  system  have  three  voting/monitoring  planes.  Two  of  these  planes  are 
in  software  and  are  at  the  sensor/controller  interface  and  the  output  surface 
command  interface.  The  purpose  of  the  input/monitoring  plane  is  to  detect 
and  isolate  failures  associated  with  the  sensors,  controllers,  and  input 
circuitry  from  those  associated  with  the  processor  and  its  memory.  The 
output  voting/  monitoring  plane  is  used  to  detect  and  isolate  failures 
associated  with  the  Flight  Control  Computer  CPU  and  its  memory.  It  is 
located  internally  to  the  ISA's  and  can  be  used  to  isolate  failures  asso¬ 
ciated  with  the  computer  output  circuitry  and  ISA  servovalve  coils,  as  well 
as  Internal  ISA  failures. 

In  addition  to  these  voting  planes  there  is  also  processor  self-test 
which  is  used  to  isolate  certain  first  failures  and  majority  of  second 
like-failures.  Hardware  self-test  features  (e.g.,  the  watchdog  timer,  word 
count  and  parity  checks  on  MUX  bus  receipts,  memory  parity  and  wraparounds) 
are  always  active  and  are  used  for  failure  isolation.  Software  driven  self¬ 
tests  include  memory-sum  checks,  which  are  accomplished  in  background,  and 
event-driven  tests,  which  are  activated  when  failures  are  discovered. 

A  second  like  processor  failure,  if  isolated  by  self-test,  will  cause 
control  shift  to  the  last  remaining  good  processor.  If  the  failure  is  not 
isolated,  then  for  AFTI-F-16  development  safety  purposes  the  independent 
backup  unit  (IBU)  two  fail  operate  capability  is  engaged.  The  IBU  is  also 
automatically  engaged  whenever  all  three  processors  indicate  that  they  have 
failed. 
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In  the  AFTI  program  the  projected  coverage  of  a  flight  control  computer 
to  isolate  its  own  failure  through  self  test  is  Q.951^. 

3. 1.3. 3. 4  Failure  transients.  Line  3:  Delete  the  second  sentence  and 
substitute  "A  realistic  time  delay  between  the  failure  and  initiation  of 
pilot  corrective  action  shall  be  incorporated  when  determining  compliance. 
This  time  delay  should  include  an  interval  between  the  occurrence  of  the 
failure  and  the  occurrence  of  a  cue  such  as  acceleration,  rate,  displacement, 
or  sound  that  will  definitely  indicate  to  the  pilot  that  a  failure  has 
occurred,  plus  an  additional  interval  which  represents  the  time  required  for 
the  pilot  to  diagnose  the  situation  and  initiate  corrective  action." 

Line  5:  Delete  the  third  and  fourth  sentences  and  substitute 
"The  following  limits  apply  to  transients  due  to  failures  within  the  FCS  as 
a  function  of  the  Operational  State  of  the  system  after  the  failure: 


Operational 
State  I  or  II 
(after  failure) 


+  0.5g  incremental  normal  or  lateral  acceleration  at 
the  pilot's  station  and  +10  degrees  per  second  roll 
rate,  except  that  neither  stall  angle  of  attack  nor 
structural  limits  shall  be  exceeded.  In  addition  for 
Category  A,  vertical  or  lateral  excursions  of  5  feet, 
+  2  degrees  bank  angle. 


Operational 
State  III 
(after  failure) 


No  dangerous  attitude  or  structural  limit  is  reached, 
and  no  dangerous  alteration  of  the  flight  path  results 
from  which  recovery  is  impossible." 


Discussion 


Both  8785  and  9490  MIL  specs  cover  the  transient  response  following  a 
failure  and  pilot  corrective  action.  This  duplication  of  coverage  is  sup¬ 
ported  because  of  the  essential  involvement  of  these  two  disciplines  ir.  this 
very  important  issue.  Because  of  this  duplication,  however,  it  is  important 
to  correlate  the  requirements  as  closely  as  possible  to  minimize  the  analysis 
and  tests  necessary  to  demonstrate  compliance. 
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8785  discusses  transients  due  to  failures  in  two  locations.  In  the.  "Miscell¬ 
aneous  Flying  Qualities"  section  (paragraph  3.4.8  in  8785C),  the  considerations 
by  which  one  determines  the  pilot  reaction  time  delay  are  given.  Specific 
numbers  are  not  given,  but  rather  guidance  is  given  for  each  specific  aircraft 
and  its  warning  system  and  natural  cues.  These  are  the  same  factors  for 
consideration  in  9490.  Transients  due  to  failures  are  also  discussed  in  the 
"Characteristics  of  the  Primary  Flight  Control  System"  section  (paragraph 

3. 5.5.1  of  8785C).  This  is  where  load  factor,  roll  rate,  etc.  response  limits 
are  stated. 

The  objective  in  both  specifications  is  to  assure  crew  acceptance  and 
flight  safety.  Therefore  the  same  quantitative  limits  are  used  in  each 
specification.  9490D  was  closely  aligned  with  the  Operational  State  III 
after  failure  condition,  which  required  the  transients  not  to  exceed  75  percent 
of  limit  load  factor  or  1.5  g's  from  the  initial  value,  whichever  was  less. 

For  most  aircraft,  of  course,  the  1.5g  was  the  governing  requirement,  and 
this  was  significantly  more  restrictive  than  the  structural  limit  allowed 
by  8785.  However,  one  must  consider  that  even  1.5g's  might  be  excessive, 
especially  at  low  speed  close  to  the  ground.  For  that  reason  both  specifications 
require  that  no  flight  path  deviations  be  encountered  from  which  recovery  is 
impossible. 

3. 1.3. 6.1  Stability  margins.  Line  15:  Delete  the  last  sentence  and  substi¬ 
tute  the  following: 

"The  margins  specified  by  Table  III  shall  apply  regardless  of  system 
implementation,  analog  or  digital,  and  shall  be  maintained  under  flight 
conditions  of  most  adverse  center-of-gravity,  mass  distribution,  and 
external  store  configuration  throughout  the  operational  envelope  and 
during  ground  operations." 

3. 1.3. 6. 2  Sensitivity  analysis.  Line  6:  After  the  first  sentence  insert  the 
following: 

"In  addition,  these  tolerances  shall  also  include  normally  anticipated 
uncertainties  in  predicted  aerodynamic  characteristics,  aeroelastic 
effects,  and  structural  modes.  For  digital  flight  control  systems,  the 

37 


-  '  n'»Wif  '■iiii 


I 


tolerances  established  shall  specifically  include  the  effects  of  sampling 
rates,  input  and  output  filters,  digital  filter  implementation,  and 
integration  technique." 

Discussion 


The  modification  to  the  stability  requirement  paragraphs  reflects  the 
experience  gained  in  recent  aircraft  development  programs  in  the  areas  of 
flight  control-structural  dynamics  interaction  and  digital  flight  control 
implementation.  This  experience  highlighted  the  need  for  a  comprehensive 
analytical  approach,  complementing  the  test  verification  process,  to  provide 
the  required  stability  margins. 

Inherent  to  the  success  of  the  analytical  approach  is  the  comprehensive¬ 
ness  of  the  model  used  in  the  analysis.  Overly  simplistic  models,  although 
valuable  in  visualizing  trends,  may  lead  to  optimistic  predictions  as  pointed 
out  in  the  related  discussion  of  reference  46.  The  analysis  model  must 
provide  a  valid  representation  of  the  airframe,  structural  dynamics  and 
control  system  characteristics.  To  this  end,  it  must  account  for  all  antici¬ 
pated  nonlinearities,  prediction  uncertainties  and,  in  the  case  of  digital 
flight  controls,  sampling  effects.  These  considerations  are  emphasized  by 
the  revision  proposed  for  the  stability  requirement  paragraphs. 

Aeroservoelastic  instability,  the  one  manifestation  of  flight  control- 
structural  dynamics  interaction  that  defies  detection  by  traditional  ground 
tests,  has  been  addressed  in  detail  in  papers  authored  by  Barfield  and  Felt, 
reference  21,  and  Felt  et  al. ,  reference  22.  These  papers  concluded  that  a 
fully  integrated  analytical  approach,  involving  the  disciplines  of  aero¬ 
dynamics,  structural  dynamics  and  flight  controls,  is  required  to  insure  the 
required  stability. 

The  analytical  model  of  the  aircraft  aerodynamic  characteristics  used  to 
evaluate  limit  cycle  margins  may  use  rigid  body  representations,  adjusted  for 
flexibility  effects,  with  sufficient  allowance  for  uncertainties  in  predicting 
aerodynamic  damping  and  f lexible-to-rigid  ratios.  To  evaluate  stability 
margins  relative  to  zero  airspeed  servoelastic  instability  and  in-flight 
aeroservoelastic  instability,  the  analytical  model  must  account  for  the 
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effects  of  aerodynamic  and  inertial  coupling  between  axes,  airframe  struc¬ 
tural  modes,  and  Li-..-  frequency  dependent  nature  of  the  aerodynamic  deriva¬ 
tives,  as  pointed  out  in  reference  25. 

Reference  25  also  provides  an  example  of  successfully  applying  the 
characteristic  diagram  technique,  with  the  oscillatory  aerodynamic  forces 
calculated  by  the  doublet  lattice  method,  to  analyze  aeroaervoelastic  stability. 
Reference  26  describes  a  methodology  for  synthesizing  aeroelastic 
airframe  transfer  functions  that  allows  the  examination  of  stability  by 
classical  stability  analysis  techniques.  Thu  transfer  function  synthesis 
method  holds  the  promise  of  a  truly  unified  and  integrated  analysis  approach 
to  the  stability  problem. 

With  digital  flight  controls  coming  of  age,  characteristics  peculiar  to 
digital  implementation  need  to  be  considered  and  appropriately  modeled.  For 
example,  sampling  effects  may  introduce  significant  phase  shift  in  the  flight 
control  loop  closure  with  an  attendant  reduction  in  stability  margins,  as 
described  in  references  23  and  24.  As  the  stability  margins  need  to  be 
satisfied  regardless  of  system  implementation,  the  analysis  model  of  a 
digital  system  must  be  sufficiently  representative  of  the  real  time  charac¬ 
teristics. 

As  pointed  out  in  reference  1,  the  variations  in  gain  and  phase  margins 
as  a  function  of  relative  mode  frequencies  (e.g. ,  Table  III  of  AFFDL-TR-74-116) 
are  somewhat  cumbersome  to  apply.  However,  existing  data  do  not  provide 
sufficient  basis  to  revise  these  requirements.  It  is  generally  agreed  ihat 
6  db  gain  and  45  degrees  phase  margin  are  adequate,  and  may  even  be  conserv¬ 
ative,  once  all  aerodynamic  and  aeroelastic  characteristics  are  well  known 
and  other  concerns  such  as  residual  oscillations  and  hardware  wear  effects 
are  satisfied.  For  initial  flights  of  an  aircraft  type,  larger  margins  are 
desirable,  as  recommended  in  reference  23.  This  recommendation  is  largely 
based  on  actual  test  experience  revealing  lower  than  predicted  stability 
margins  due  to  prediction  inaccuracies  in  aerodynamic  or  aeroelastic  charac¬ 
teristics,  sampling  effects  in  digital  implementation,  and  jump  resonance 
type  non-linearity  attributed  to  actuator  rate  saturation.  The  requirement 
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allows  the  necessary  latitude  to  consider  each  weapon  system  on  an  individual 
basis,  thus  insuring  its  applicability  to  future  procurements. 

3. 1.3. 7  Operation  in  turbulence.  Delete  the  entire  paragraph  and  substitute 
the  following: 

"The  FCS  must  be  capable  of  operating  while  flying  in  the  following 
applicable  random  and  discrete  turbulence  environments.  The  dynamic  analysis 
or  other  means  used  to  satisfy  this  requirement  shall  include  the  effects 
of  rigid  body  motion,  significant  flexible  degrees  of  freedom,  and  the  flight 
control  system.  The  effect  of  the  turbulence  on  the  pitot  system  and  on  any 
vanes  or  other  sensors  must  be  considered. 

a.  In  normal  operation  (Operational  State  I)  in  the  turbulence  environment 
the  FCS  shall  provide  a  safe  level  of  operation  and  maintain  mission  accomplish¬ 
ment  capability. 

b.  With  the  essential  and  flight  phase  essential  controls  engaged  and 
active  the  FCS  performance  must  permit  safe  termination  of  precision  tracking 
or  maneuver  tasks,  and  safe  cruise,  descent,  and  landing  at  the  destination 
of  original  intent  or  alternate.  The  pilot's  workload  may  be  excessive  or 
the  mission  effectiveness  inadequate.  The  performance  must  be  possible  while 
operating  in  the  turbulence  levels  of  3. 1.3. 7.1. 

c.  The  noncritical  controls  shall  provide  at  least  a  level  of  performance 
which  results  in  a  moderate  increase  in  crew  workload  and  degradation  in 
mission  effectiveness;  however,  the  intended  mission  may  be  accomplished. 

This  performance  must  be  possible  while  operating  in  the  turbulence  levels 

of  3. 1.3. 7.1. 

d.  When  operating  in  turbulence  intensities  greater  than  those  of 

3. 1.3. 7.1,  the  operation  of  the  noncritical  controls  shall  not  degrade  flight 
safety  or  mission  effectiveness  below  what  exists  with  the  controls  inactive. 
Either  manual  or  automatic  means  may  be  used  to  inactivate  the  noncritical 
controls  in  heavy  turbulence  when  required." 

Discussion 

The  primary  point  of  ambiguity  in  this  requirement  as  stated  in  9490D 
is  the  reference  to  Operational  States.  The  definitions  of  Operational  States 
in  1.2.2  include  three  considerations:  (1)  system  operation/failure  state, 

(2)  corresponding  pilot/mission  performance,  (3)  corresponding  8785  flying 
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qualities  level.  In  paragraph  3. 1.3. 7  of  9490D  with  regard  to  essential, 
flight  phase  essential,  and  noncoitical  controls,  the  Operational  States  are 
intended  to  call  out  the  required  pilot/mission  performance.  However,  because 
of  the  ambiguity  concerning  failure  states  associated  with  Operational  States 
II  and  III,  3. 1.3.7  becomes  unclear.  This  is  avoided  by  using  the  pilot/mission 
performance  statement  directly. 

3. 1.3. 7.1  Random  turbulence.  Second  paragraph,  Line  6,  delete  the  sentence 
"At  the  maximum  level  flight  airspeed,  V  these  intensity  levels  are  reduced 
to  38  percent  of  the  specified  levels." 

Discussion 

This  change  was  made  due  to  a  lack  of  justification  for  its  inclusion 
within  the  specification. 

3. 1.3. 9  System  test  and  monitoring  provisions 
Discussion 

Since  AFFDL-TR-74-116  was  issued,  there  has  been  a  considerable  amount 
of  work  in  system  test  and  monitoring.  The  F-16  system  is  now  in  production, 
the  F/A-18A  is  in  full  scale  development,  and  the  AFTI-F-16  program  is 
completing  its  final  design  phase.  With  respect  to  digital  flight  control 
systems,  the  topics  of  redundancy  management,  coverage,  and  self  test  have 
received  considerable  attention.  Self  test  is  discussed  below  and  the 
topics  of  redundancy  management  and  coverage  are  addressed  in  the  redundancy 
management  section,  3. 1.3. 1.1. 

In  the  development  of  design  specifications  for  the  procurement  of 
advanced  aircraft  (fighter  aircraft  in  particular),  the  detail  that  is 
given  to  the  areas  of  comprehensive  built-in  test  is  intense  and  far  beyond 
that  generality  addressed  through  MIL-F-9490.  There  was  some  thought  given 
by  advisory  personnel  on  this  project,  who  had  been  involved  with  BIT 
specifications  for  the  F/A-18  and  F-5G  programs,  that  the  MIL-F-9490 
specification  should  be  revamped  to  address  BIT  on  the  design  level  rather 
than  at  the  generic  level.  However,  such  a  task  was  beyond  the  scope  of  the 
contract  and  not  desired  for  the  9490  update  at  this  i.  me. 

However,  comprehensive  procedures  do  need  to  be  established  relative  to 
the  demonstration  and  verification  of  BIT.  Two  documents  which  address  this 
area  are  an  addendum  to  MIL-STD-471A,  Demonstration  and  Evaluation  of  Equip¬ 
ment/System  Built-In  Test/External  Test/Fault  Isolation/Testability  Attri- 
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butes  and  Requirements,  and  Report  RADC-TR-7 9-309  BIT  External  Test  Figures 


of  Merit  and  Demonstration  Techniques.  The  verification  and  validation 
of  BIT  software  will  have  to  be  in  accordance  with  the  overall  software 
procedures  as  outlined  in  the  Computer  Program  Configuration  Item  (CPCI)  and 
defined  by  the  software  verif ication/validation  test  plan. 

Due  to  the  large  portion  of  the  FCS  Operational  Flight  Program  software 
that  built-in  test  requires,  the  BIT  software  should  be  modularized  in  its 
utilization  of  the  hardware,  so  that  in  providing  for  changes  and  growth 
potential,  the  verification  and  validation  activity  required  is  minimized. 

In  the  design  and  implementation  of  electrical  signal  computation  for 
flight  control  systems,  a  key  area  of  concern  with  respect  to  flight  safety 
and  mission  reliability  is  the  systems  inflight  monitoring  capability.  This 
inflight  monitoring  includes  cross  channel  monitoring,  the  use  of  data 
reasonableness,  and  computer  self  test. 

The  level  oi  self  test  a  computer  can  competently  perform  will  influence 
the  level  of  redundancy  required  to  satisfy  the  system  flight  safety  and 
mission  reliability  requirements. 

For  digital  flight  control  systems,  self  test  is  the  aspect  of  inflight 
monitoring  which  monitors  the  integrity  of  the  processor,  memory,  and  input/ 
output  interfaces  of  the  digital  flight  control  computer. 

For  two  channel  digital  flight  control  system  operation,  in-line  monitoring 
must  be  used  to  resolve  any  channel  differences.  When  in-line  monitoring  is 
used,  the  computer  must  first  perform  self  test  prior  to  checking  the 
other  elements  of  the  digital  flight  control  system.  Self  testing  will 
encompass  both  software  and  hardware. 

The  following  is  a  list  of  recommended  self  tests  from  references  8,  9, 

14,  and  18: 

1.  Instruction  test  sequence  -  test  for  endless  loops,  time  deadline 
to  exercise  all  instructions. 

2.  Scratch-pad  read-write  test.  A  number  of  locations  in  the  scratch 
pad  are  dedicated  to  self  testing.  On  successive  test  iterations,  random 
patterns  are  written  into  these  dedicated  locations  and  then  checked.  This 
tests  the  memory  integrity  and  addressing  structure  of  the  scratch  pad. 

3.  Wrap  around  loop  tests  -  to  verify  the  computer  I/O  sections  for 
both  analog  and  discrete  data. 
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4.  Use  of  hardware  circuitry  to  monitor  the  computer  power  supnlies. 

Power  supply  status  signals  will  be  exchanged  between  computers. 

5.  Incorporation  of  a  high-priority  power  failure  interrupt  to  effect 
an  orderly  computer  shut-down  in  the  event  of  a  power  drop-out.  Power-off 
and  power-on  status  signals  will  be  exchanged  between  computers. 

6.  Incorporation  of  a  deadman  timer  (redundant  if  necessary  to  achieve 
required  reliability)  to  detect  computer  stoppages.  Failure  of  the  software 
to  reset  the  timer  indicates  a  computer  failure. 

7.  Use  of  an  internal  timer  to  monitor  the  time  required  to  complete 
various  portions  of  the  self-test  program. 

8.  Use  of  parity  to  monitor  continuously  the  memory  storage  locations. 

When  bad  parity  is  indicated,  an  interrupt  will  be  Initiated. 

9.  Check  data,  address,  and  control  lines  by  reading  out  of  memory  data 
patterns  of  zeroes  and  ones,  stored  in  predetermined  locations. 

10.  Memory-sum  checks  for  those  portions  of  memory  containing  constants 
and  instructions.  The  sum  check  requires  more  execution  time  than  can  be 
used  immediately  following  computer  start-up. 

11.  Sample  problems  to  check  the  CPU  -  designed  to  exercise  the  instructions 
used  to  solve  the  control  laws. 

12.  An  arithmetic  fault  interrupt  to  sense  overflows. 

13.  Parity  -  to  monitor  continuously  the  transmission  of  data  over  the 
I/O  channels.  When  bad  parity  is  detected,  an  interrupt  will  be  initiated. 

When  a  choice  exists  between  the  implementation  of  hardware  or  software 

to  perform  monitoring  tasks,  the  use  of  software  i6  preferred  since  hardware 

results  in  a  higher  channel  failure  rate  due  to  additional  parts,  and  con- 

14 

sequently  reeults  in  a  higher  probability  of  loss  of  control. 

For  any  flight  control  system  utilizing  inflight  monitoring,  there  are 
two  aspects  which  currently  have  no  requirement  in  the  specification,  but  which 
require  consideration.  The  first  addresses  the  allowable  frequency  of 
nuisance  disconnects  and  false  alarms,  and  the  second  is  concerned  with  the 
recording  of  failures  and  transient  failures  which  occur  during  flight. 

During  the  flight  testing  of  the  YF-17  and  the  DIGITAC  programs,  numerous 
nuisance  disconnects  were  encountered  in  the  early  phases  of  each  program. 

The  remedy  for  these  nuisance  disconnects  was  typically  an  opening  of  the 
trip  monitor  levels.  This  increase  in  the  levels  was  to  account  for  the 
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transients  associated  with  the  FCS  hardware  performance  and  not  the  actual 
aircraft  dynamics.  Some  monitor  trip  levels  on  the  DIGITAC  program  were 
increased  up  to  a  factor  of  10  from  their  original  design  values."* 

While  on  prototype  and  experimental  projects  programs  such  as  the  YF-1  7 
and  DIGITAC  there  appears  to  be  little  desire  or  need  to  specify  an  acceptable 
nuisance  disconnect  level,  it  may  be  very  desirable  in  a  production  type 
program.  The  trade-off  concern,  not  unexpectedly,  with  nuisance  disconnects 
is  flight  safety.  It  was  a  comment  of  some  flight  test  personnel  interviewed, 
whether  some  of  the  trip  levels  of  the  DIGITAC  (among  other  aircraft)  were 
even  meaningful  once  an  acceptable  nuisance  disconnect  level  was  attained. 

The  allowable  frequency  for  nuisance  disconnects  and  false  alarms  has 

been  addressed  in  at  least  two  separate  ways.  In  the  Advanced  Fighter 
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Digital  Flight  Control  Study  comes  the  following  recommendation. 

Nuisance  disconnects  of  an  axis  or  channel,  if  specified,  should  be  in 
terms  of  a  maximum  number  of  occurrences  per  flight  hour,  not  as  a  ratio  of 
nuisance  to  actual  failures.  Tying  nuisance  disconnects  to  actual  failures 
implies  that  a  percentage  of  disconnects  will  be  actual  failures.  From  the 
AFTI  program1^  comes  the  requirement  for  computer  self  test  that  the  false 
alarm  rate  shall  not  exceed  one  percent  of  indicated  faults. 

With  the  advent  of  electrical  signal  computation,  in  particular  digital 
computation,  there  is  a  potential  for  a  failure  to  occur  in  flight  which  may 
be  impossible  to  identify  on  the  ground.  This  is  particularly  true  if  the 
failure  results  in  loss  of  the  aircraft.  Consequently  there  has  been  a  desire 
to  implement  a  methodology  and  device  to  code  and  record  computer  states  and 
failure  transients  as  they  occur  in  flight. 

4 

In  the  DIGITAC  program  there  was  a  feature  which  coded  and  stored 
any  failure  in  the  scratch  pad  (SPAD)  memory.  Thus,  the  SPAD  memory  could 
be  interrogated  on  the  ground  to  reveaJ  the  causes  of  inflight  or  preflight 
failures.  This  ability  was  expanded  after  the  initial  flights  to  allow 
monitor  words  set  on  the  ground  to  be  distinguished  from  those  set  in  flight. 

Currently  on  the  F-16  program  there  is  an  engineering  change  proposal 
that  would  implement  a  digital  device  in  the  aircraft  which  in  addition  to 
performing  Eome  maintenance  BIT,  self  test,  and  other  inflight  monitoring, 
would  record  in  a  1  K,  8-bit  nonvolatile  memory  any  failures  which  might 
occur  in  flight  so  that  they  could  be  traced  on  the  ground. 
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A  similar  capability  exists  in  the  F/A-18. 

One  of  the  Major  contributions  to  the  maintenance  of  the  F-12  flight  control 
system  reliability  is  the  mission  recording  system.  Each  essential  parameter 

of  the  various  vehicle  subsystems  is  monitored  for  use  in  a  magnetic  tape 

.  19 

recorder. 

For  the  design  of  preflight  BIT  and  maintenance  BIT,  consideration 
needs  to  be  given  to  the  time  desired  for  the  performance  of  these  tasks. 

In  a  definition  study  for  an  advanced  fighter  digital  flight  control 
system,  the  estimated  time  to  perform  a  built-in  test  which  functioned  for 
both  preflight  and  maintenance  was: 

BIT  (with  hydraulics)  **  20  seconds  (triplex) 

•  29  seconds  (quadruplex) 

BIT  (without  hydraulics)  ”  10  seconds 


While  these  times  appear  to  be  very  desirable  and  one  day  attainable,  up 

to  this  time  no  aircraft  preflight  or  maintenance  BIT  has  come  close. 

In  the  NASA  F-8  Digital  FBW  Program,  the  F-8  flight  time  preflight  BIT 

took  approximately  40  minutes  for  all  checks,  about;  5  minutes  of  which  was 

attributed  to  digital  systems  tests.  It  was  felt,  however,  that  the  plane 
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was  over-tested  prior  to  flight.  * 

For  the  F/A-18A,  the  Navy  ha"  set  the  times  of  1  minute  for  preflight 
BIT  and  2  minutes  for  maintenance  BIT  as  the  desired  BIT  performance  times. 
Currently  the  preflight  BIT  (or  as  they  term  it:,  Initiated  BIT)  for  this  air¬ 
craft  takes  8  minutes  to  complete  and  the  maintenance  BIT  takes  even  longer 
(it  should  be  noted  that  these  times  are  expected  to  be  reduced  significantly). 
However,  this  result  should  be  considered  neither  unusual  nor  unexpected  in 
light  of  the  complexity  of  the  system  and  the  level  of  fault  isolation  per¬ 
formed  by  the  BIT. 

The  F~16  performs  an  automatic  preflight  BIT  in  approximately  two 

4 

minutes  and  can  perform  an  alert  BIT  within  45  seconds  and  a  complete 
maintenance  and  fault  Isolation  test  in  less  than  5  minutes. 
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It  may  well  be  that  the  answer  to  obtaining  acceptable  preflight  BIT 
times,  particularly  for  complex  systems,  lies  not  in  a  compromise  of  flight 
safety  and  mission  reliability,  but  rather  in  a  reduction  of  the  fault  isolation 
capability  of  preflight  BTT.  The  argument  for  this  is  that  if  the  aim  of 
preflight  BIT  is  to  determine  a  GO  or  NO  GO  condition  based  on  any  one  failure, 
why  isolate  the  failure  with  no  intent  to  alleviate  the  failure  at  that  time. 

If  the  GO/NO  GO  was  conditional  on  the  type  of  failure  present,  then  some 
level  of  fault  isolation  would  be  required,  but  not  necessarily  in  depth  as 
is  found  in  current  aircraft. 

3.1.6  Mission  accomplishment  reliability 

3.1.7  Quantitative  flight  safety 
Discussion 

The  reliability  of  software  is  presumed  to  reach  100%  whenever  the  system 
matures  to  the  operational  deployment  stage.  This  is  attained  through  trials 
and  tests  during  development  which  wili  insure  that  all  of  the  programming 
errors  (coding,  logic,  hardware  interface,  system  requirements  deficiencies) 
are  eliminated.  To  attain  the  near  perfect  reliability  necessary  requires  a 
very  comprehensive  technical  development  procedure,  management  control,  and 
configuration  control. 

27 

Northrop  Document  NOR  78-85,  Weapon  System  Computer  Software  Management  , 
contains  an  extensive  format  of  procedures  and  controls  that  aid  the  design, 
development  and  verification  of  software  programs  in  a  manner  that  enhances 
the  reliability  of  the  software  by  minimizing  the  probability  o£  software 
errors.  The  document  constructs  each  aspect  of  the  software  development 
program  in  its  most  fundamental  form,  and  provides  for  detailed  definition  of 
software  documentation  and  development,  as  well  as  the  organizational  structure, 
assignments  and  responsibilities.  The  software  documentation  and  development 
definition  includes  the  nature  of  the  schedule,  critical  milestones,  design 
reviews  and  the  means  of  development:. 


46 


The  documentation  and  verification  procedures  require  thorough  docu¬ 
mentation  of  program  modifications  and  problems  and  the  implementation  of 
family  trees  which  simplify  the  methods  for  software  changes  by  providing  an 
understandable  program  flow  chart.  The  establishment  of  preliminary  and 
critical  design  reviews  insures  that  the  design  criteria  are  being  properly 
implemented. 

Figures  1  and  2  present  typical  examples  of  the  software  development 
process  and  software  configuration  control.  The  controls  presented  in  the 
Northrop  document  and  similarly  in  references  28  through  32  should  be  fully 
implemented  in  any  future  flight  control  development  programs. 

In  literature  pertaining  to  flight  control  system  design  and  aircraft 
flight  safety  and  reliability,  the  term  "extremely  improbable"  is  frequently 
used.  This  term,  which  should  not  be  confused  with  the  specification  term 
"extremely  remote",  has  been  used  in  reference  to  the  possibility  that  a 
system  failure,  in  particular  a  flight  control  system  failure,  could  lead  to 
loss  of  aircraft.  The  ability  of  a  flight  control  system  to  achieve  an  ex¬ 
tremely  low  probability  of  catastrophic  failure  has  a  significant:  impact  on 
the  levels  of  redundancy  required  to  meet  the  FCS  quantitative  flight  safety 
requirements,  i.e.,  that  the  probability  of  loss  of  aircraft  per  flight  hour 
be  extremely  remote. 

The  following  discussion  taken  from  a  Draper  Laboratory  ropor ‘ ^  on 
digital  fly-by-wive  control  presents  an  interpretation  and  application  of 
the  term  "extremely  Improbable". 

-9 

The  commonly  accepted  numerical  value  for  "extremely  improbable"  is  10  . 

There  is  considerable  controversy  on  the  rc  le  numerical  analysis  should  play 

in  demonstrating  that  this  requirement  is  met.  In  some  situations,  it  appears 

that  numerical  analysis  can  have  real  significance  and  make  a  valid  contribution. 

For  example,  numerical  analysis  can  be  used  to  compute  the  probability  of 

system  failure  in  a  redundant  system  due  to  random-component  failure.  Random- 

component  failure  rates  are  large  enough  to  be  demonstrated  in  practice. 

The  mathematical  techniques  for  combining  these  failure  rates  are  also  well 

-9 

established.  Numerical  analysis  showing  a  system  failure  rate  of  10  per 
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hour  can  then  be  believable.  The  actual  value  of  the  number  can  be  significant 
in  this  circumstance.  A  change  in  this  number  can  change  the  number  of 
redundant  channels  required. 

Numerical  analysis  may  have  little  or  no  value  in  proving  that  the  prob¬ 
ability  of  failure  is  low  due  to  other  failures,  such  as  design  errors, 

common-meJ.  failures,  and  generic  software  errors.  These  classes  of  faults 

-9 

may  be  the  most  likely.  A  number  like  10  may  not  be  valuable  as  a  legalistic 
number  thut  must  be  "proven"  with  pounds  of  paper.  It  may  ba  valuable  as  a 

positive  goal  toward  which  everyone  strives. 

-9 

For  commercial  aircraft,  the  number  10  seems  to  be  reasonable.  It  is 
likely  that  if  advanced  electronic  flight-control  systems  can  offer  even  some 
of  the  advantages  claimed  for  them,  they  will  be  used  on  virtually  all  aircraft 
for  at  least  a  generation.  If  it  is  assumed  that  an  aircraft  generation  is  at 
least  15  years,  and  with  at  least  6  X  10^  commercial  aircraft  flight  hours  per 

Q 

year  in  the  U.S.  alone,  a  total  of  at  least  10  system  operating  hours  can  be 

-9 

assumed.  The  number  10  thus  means  that  the  probability  of  a  catastrophe  due 
to  a  system  failure  is  1  in  10. 

3.1.8  Survivability 
Discussion 

In  its  survivability  discussion,  the  User  Guide  predicted  "a  requirement 
for  a  standby  flight  control  capability  will  also  exist  in  future  aircraft 
equipped  with  active  redundant  fly-by-wire  control  systems". 

In  light  of  the  F-16,  it  is  apparent  that  this  prediction  did  not  come 
to  pass.  However,  with  qualification  it  was  and  still  is  a  good  prediction. 
While  the  analog  F-16  fly-by-wire  control  system  does  not  have  a  standby  flight 
control  capability  or,  more  to  the  point,  a  dissimilar  backup  system,  by  being 
quadruplex  it  does  have  one  more  computational  channel  than  analysis  would 
predict  necessary. 

While  dissimilar  backup  systems  may  not  be  required  tor  analog  fly-by-wire 
control  systems,  at  this  time  it  appears  very  likely  they  will  be  required 
for  all  digital  fly-by-wire  control  system  applications.  The  question  to  be 
resolved,  however,  is  what  constitutes  a  dissimilar  backup  system.  The  concern 
on  this  subject  is  this:  What  if  a  glitch  in  the  software  leads  to  a  sim¬ 
ultaneous,  multiple  redundant  channel  drop  out 
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To  provide  a  dissimilar  backup  capability  both  hydromechanical  and  fluidic 
signal  computation  techniques  have  been  studied  and  employed. 

For  the  F-15  a  dual  electronic  control  augmentation  system  was  utilized 
with  an  active  mechanical  control  system.  In  the  event  of  loss  of  the  electronic 
control  augmentation  system,  a  hydromechanical  computational  device  was 
engaged  to  provide  dissimilar  backup  insuring  level  2  flying  qualities. 

References  33  and  34  discuss  studies  relative  to  the  Implementation  of  fluidics 
as  a  dissimilar  backup  system. 

The  approach  on  the  F-18  program  was  to  implement  a  backup  mechanical 
control  system  in  the  pitch  and  roll  axes.  The  backup  system,  which  is  in 
addition  to  backup  direct  electrical  links,  engages  automatically  in  the  event 
of  loss  of  fly-by-wire  control  to  the  horizontal/rolling  tail.  While  the 
system  achieves  complete  dissimilarity,  with  no  reliance  on  electrical  power, 
it  has  not  been  without  penalties.  The  design  implementation  of  a  command 
select  mechanism  within  an  integrated  servoactuator  which  transfers  control 
from  electrical  to  mechanical  is  very  complex,  and  because  of  the  number  of 
cycles  it  experiences  during  preflight  BIT,  its  transition  time  has  a  significant 
impact  on  the  time  required  for  preflight  BIT. 

Non-production  programs  such  as  the  AFTI-F-16,  the  DIGITAC,  and  the 
F-8DFBW  have  implemented  analog  backup  systems  for  their  digital  computation 
channels  2,5,6,35,36.  y^ile  their  backups  are  dissimilar  in  terms 
of  electrical  signal  computation,  they  are  vulnerable  in  the  event  of 
electrical  power  loss.  However,  the  ability  to  minimize  or  eliminate  the 
threat  of  electrical  power  loss  must  be  accepted,  in  view  of  the  success  of 
the  F-16  system  to  date. 

With  the  ability  to  overcome  the  problems  of  electrical  power  loss  comes 
the  potential  for  the  next  step  in  dissimilar  backup:  the  use  of  dissimilar 
backup  software. 

Here  the  concept  of  dissimilar  software  does  not  imply  the  approach  used 
on  the  Concorde  SST  program,  which  was  very  complex  and  costly.  Rather,  it 
involves  a  simplified,  constant  gain  software  program  resident  in  each  computer 
which  provides  the  minimum  required  control  capability  of  either  FCS  Operation 
State  IV  or  State  V  as  required.  The  potential  for  this  approach  has  been 
discussed  in  reference  6  and  demonstrated  in  work  performed  on  the  F-8DFBW 
program.  Although  never  flown,  a  dissimilar  software  program  and  additional 
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hardware  were  implemented  on  the  F-8.  When  the  new  hardware  detected  a  sim¬ 
ultaneous  fault  in  all  computational  channels,  it  was  assumed  to  be  a  software 
error  and  computation  reverted  to  the  backup  program.  This  testing  was 
performed  by  programming  some  typical  software  errors  into  the  operational 
'"light  program. 

In  the  implementation  of  dissimilar  backup  control  systems  a  frequent 
problem  is  the  synchronization  of  the  two  systems.  The  goal  is  to  minimize  the 
transients  in  the  transfer  from  one  system  to  the  other.  As  in  the  F-18, 
there  must  be  a  capability  to  transfer  to  and  from  the  backup  system.  Reference 
35  has  a  thorough  discussion  of  synchronization  problems  in  the  F-8FBW  program, 
and  reference  37  discusses  backup  flight  control  design  procedures  for 
increased  survivability. 

With  the  increased  emphasis  on  CCV  concepts,  digital  computation,  and 
multiple  control  surfaces,  another  area  of  survivability  worthy  of  attention  is 
control  law/ control  surface  reconfiguration.  If  an  aircraft  that  had  a 
horizontal  tail  and  flaperons,  for  example,  lost  control  of  the  horizontal  tail, 
then  the  control  laws  would  be  modified  so  that  the  flaperons  would  provide 
primary  pitch  control.  This  type  of  approach  has  been  implemented  in  the 
HiMAT  program  and  also  discussed  in  reference  38. 

A  final  point  relative  to  survivability  in  the  design  of  flight  control 
systems  in  general  and  fly-by-wire  control  systems  in  particular  is  the  potential 
for  batch  failures.  The  possibility  exists  that  each  of  the  redundant  flight 
control  computers  contains  a  defective  board  from  the  same  manufacturing  batch, 
which  causes  nearly  simultaneous  failures  in  all  channels  as  a  result  of  some 
severe  physical  or  environmental  conditions  which  do  not  exceed  the  design 
requirements.  Although  an  unlikely  occurrence,  it  needs  to  be  addressed  and 
provided  for. 

3. 1.8.1  All  engines  out  control.  Line  5:  After  "flight1  insert  "airframe/ 
inlet  flow-field  interactions  not  adequately  verified  in  flight,". 

Line  6:  Change  "operational  envelope"  to  "permissable  flight 
envelope  per  MIL-F-8785". 

Line  6:  After  the  first  sentence,  insert  "Such  supplementary 
means  shall  provide  control  power  for  a  specified  duration." 
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Discussion 


The  purpose  of  these  amendments  is  to  give  the  requirement  the  explicit 
coverage  and  definition  it  is  meant  to  have. 

The  effect  of  airframe/inlet  flowfield  interactions  on  engine  performance 
is  a  critical  area  which  should  be  differentiated  from  airframe  aerodynamics. 

In  support  of  more  efficient  systems  acquisition,  the  second  amendment  establishes 
the  need  for  a  definite  time  relative  to  the  accomplishment  of  the  survivability 
requirement. 

3 . 1 . 9 . 2  Invulnerability  to  lightning  strikes  and  static  atmospheric  electricity. 
Discussion 

In  the  User  Guide  discussion  of  this  requirement,  the  concluding  paragraph 
states:  "Reference  85,  'Final  Draft,  Aerospace  Recommended  Practice,  Lightning 

Effects  Tests  on  Aerospace  Vehicles  and  Hardware, '  prepared  by  SAE  Committee 
AE4,  Special  Task  F,  1  May  1974,  provides  a  definitive  comprehensive  guide 
to  lightning  simulation  and  verification  testing  of  aerospace  vehicles.  This 
document  has  wide  general  acceptance  and  is  expected  to  be  formalized  in  1975.” 

To  date  this  document  has  not  been  formalized  and  released.  Two  documents 
which  discuss  lightning  effects  and  have  been  released  are  references  14  and  18. 

There  is  still  much  unknown  about  the  impact  of  lightning  strikes  on  fly-by¬ 
wire  aircraft.  While  the  HIMAT  remotely  piloted  vehicle  has  successfully 
undergone  preliminary  lightning  strike  evaluation,  and  the  F-18A  has  undergone 
scale  model  testing  to  define  potentially  vulnerable  lightning  attach  points, 
much  remains  to  be  done.  At  this  time  there  are  no  published  results  or 
recommendations  from  the  F-16  Full-Scale  Lightning  Strike  Test  (which  was 
scheduled  for  June  1979),  and  no  lightning  strike  evaluation  has  been  per¬ 
formed  on  a  full-scale  F-18  to  evaluate  the  effect  of  lightning  strikes  on 
aircraft  subsystems. 

A  nondestructive  scaled-down  lightning  current  pulse  test  conducted  on 
YF-16  No.  1  in  1975  indicated  that  additional  protection  would  be  required  for 
the  F-16,  reference  3.  The  direction  of  the  F-16  design  effort  for  lightning 
strike  protection  was  to:  1)  keep  lightning  strike  current  flowing  through  the 
skin,  and  2)  protect  circuitry  and  components  from  induced  voltage  damage. 
Protection  from  damage  caused  by  induced  voltage  in  the  circuitry  is  a  function 
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of  the  interface  circuit  characteristics  and  the  input  impedance  of  the 
components.  The  length  of  the  circuit,  its  position  with  respect  to  the  air¬ 
frame,  and  the  position  of  the  circuit  with  respect  to  known  lightning  attachment 
points  were  considered  in  determining  the  general  shielding  requirements  for 
the  FCS. 

For  the  AFTI-F--16  program  preliminary  design  requirements  specify  that 
"each  input  and  output  line  of  the  DFCS  must  survive  (not  degrade  or  malfunction) 
conducted  transients  greater  than  those  produced  within  an  aircraft  by  a  200  K 
Amp  lightning  strike  to  the  aircraft.  Furthermore,  the  fully  operating  DFCS 
must  survive  (no  malfunction  beyond  safe  recovery)  a  magnetic  field  spike 
equivalent  to  that  which  produced  the  conducted  transient.  At  present,  the 
effects  of  the  magnetic  field  spike  on  circuit  components  is  unknown." 

On  the  subject  of  lightning  in  general,  there  has  been  a  recent  FAA 
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report  regarding  a  workshop  on  grounding  and  lightning  technology. 

3. 1.9.4  Invulnerability  to  onboard  failures  of  other  systems  and  equipment. 

Under  line  25:  Add  the  following: 

"d.  In  the  event  of  a  failure  such  as  loss  of  required  cooling  for  electrical 
signal  computation,  or  a  series  of  such  failures  not  extremely  remote,  which 
will  unavoidably  lead  to  degraded  FCS  operation,  undegraded  operation  shall 
be  provided  for  a  period  specified  by  the  procuring  agency." 

Discussion 

The  intent  of  this  amendment  is  to  address  the  very  real  potential  of  a 
failure  or  series  of  failures  that  could  lead  to  degraded  FCS  operation. 

It  is  simply  not  feasible  in  all  aircraft  configurations  to  isolate  the 
electrical  signal  computation  channels  in  such  a  way  that  only  one  channel  is 
lost  in  the  event  of  a  cooling  air  supply  failure,  as  recommended  in  the  User 
Guide.  Rather  than  attempt  to  impose  a  potentially  impractical  constraint 
on  the  FCS  design,  a  more  realistic  contingency  approach  is  recommended. 

This  recommendation  is  similar  to  a  design  requirement  for  the  AFTI-F-16 
program  which  states  that  in  the  event  of  the  loss  of  forced  cooling  air  to 
the  flight  control  computers  "the  equipment  shall  withstand  the  loss  of  cooling 
air  without  degradation  of  performance  for  a  minimum  of  two  (2)  hours  ....” 


Unfortunately,  all  current  fly-by-wire  aircraft  require  forced  air  cooling 
of  the  flight  control  computers.  If  this  trend  is  to  change,  it  is  apparent 
that  it  will  be  as  a  result  of  a  design  change  in  the  electronic  components 
themselves  and  not  the  thermal  environment  of  the  aircraft  itself. 

3. 1.9.5  Invulnerability  to  maintenance  error.  Line  5:  After  "major  overhaul,” 
insert  "software  modification,”. 

Discussion 

The  potential  impact  of  a  software  maintenance  error  warrants  its  specific 
inclusion  in  this  requirement,  and  provides  a  logical  connection  to  the  sub- 
paragraph  which  specifically  addresses  provisions  for  software  maintenance 
error. 


3. 1.9. 5:  After  this  paragraph,  add  the  following  as  a  new  paragraph: 

"3. 1.9. 5.1  Invulnerability  to  software  maintenance  error.  For  systems 
utilizing  digital  computation,  means  for  identification  of  the  operational 
flight  program  shall  be  provided,  and  procedures  shall  be  established  to 
prohibit  the  implementation  of  unintended  versions  of  software  in  the  flight 
control  system." 

Discussion 

For  systems  which  utilize  digital  computation,  particular  care  must  be 
given  to  software  maintenance  because  of  its  complexity  and  importance  for 
proper  FCS  operation.  The  best  expression  of  the  need  for  the  requirement 
is  in  the  3. 1.9.5  User  Guide  discussion:  "This  requirement  is  especially 
important  with  the  increasing  complexity  of  flight  control  systems  and  com¬ 
ponents  wh^ ch  tend  to  increase  the  potential  for  serious  maladjustment  through 
maintenance  error." 

To  this  end,  means  for  identification  and  procedures  for  implementation 
need  to  be  mandatory  to  provide  invulnerability  to  software  error.  Note  that 
requirements  addressing  software  maintenance  provisions  are  specified  in 
paragraph  3.1.10.5. 

3.1.10  Maintenance  provisions.  Line  4:  Delete  "facilitate  the  accomplishment 
of  all  required"  and  substitute  "permit  the  accomplishment  within  the  allocated 
maintenance  budget  and  personnel  skill  leve’  of  all  required  organizational 
and  intermediate  level". 
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Line  7:  Change  "overhaul,"  to  "repair,". 

Line  7:  After  the  last  sentence,  add  "In  addition,  the 
design  shall  employ  provisions  to  facilitate  efficient  overhaul  and  perfor¬ 
mance  verification  at  the  depot  level." 

Discussion 

Ease  of  maintenance  has  always  been  a  desired  objective,  but  was  usually 
relegated  to  secondary  importance  relative  to  such  prime  design  considerations 
as  volume,  weight,  and  unit  cost.  This  practice  resulted  in  weapon  systems  with 
excessive  down  time,  maintenance  hours  per  flight  hour,  and  spares  requirements. 
With  increasingly  more  complex  systems  coming  into  the  inventory,  this  situation 
has  worsened  acutely.  To  reverse  this  trend,  maintainability  considerations 
are  now  receiving  prime  emphasis  and  are  expressed  as  firm,  quantitative 
requirements,  with  a  suitable  plan  for  demonstration  of  compliance.  Such 
quantitative  requirements  are  Maintenance  Man  Hour  Per  Flight  Hour  (MMH/FH) 
and  Mean  Time  Between  Actions  (MTBA)  for  organizational  level  and  Mean  Time 
to  Repair  (MTTR)  for  intermediate  level,  and  are  established  in  consideration 
of  the  overall  aircraft  maintenance  budget.  Achievement  of  these  numerical 
objectives  and  demonstration  of  compliance  involves  units/systems  dedicated 
to  maintainability  development  and  demonstration. 

To  reflect  this  trend,  and  in  recognition  of  the  direct  relationship 
between  maintainability  and  weapon  system  operational  readiness,  the  requirement 
is  changed  from  a  qualitative  consideration  to  a  quantitative  goal  implied 
by  the  reference  to  the  allocated  maintenance  budget. 

3.1.10.2.1  Use  of  cockpit  instrumentation.  Line  5:  Delete  "(for  nonelectrical 
and  nonelectronic  components)". 

Discussion 

The  last  sentence  of  this  requirement  references  "portable  test  equipment 
(for  nonelectrical  and  nonelectronic  components)."  This  statement  indicates 
that  portable  test  equipment  can  be  used  only  for  MFCS,  yet  requirement 

3.1.10.2.2  allows  the  use  of  portable  test  equipment  under  specific  conditions. 

3.1.10.2.2:  After  this  paragraph,  add  the  following  as  new  paragraphs: 
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"3.1.10.2.2.1  Provision  for  portable  teat  equipment  growth.  Any  special 
test  equipment  shall  be  designed  to  provide  for  growth  consistent  with  the  FCS 
growth  capability. 

3.1.10.2.2.2  Provision  for  portable  test  equipment  software.  Where  software 
Is  utilized  within  FCS  portable  test  equipment,  its  design,  verification, 
validation,  aud  maintenance  shall  be  consistent  with  the  software  requirements 
contained  within  this  specification." 

Discussion 

The  first  requirement  addresses  the  possibility  that  growth  in  the  flight 
control  system  may  require  similar  growth  in  the  portable  test  equipment  asso¬ 
ciated  with  it.  Without  this  provision  for  growth,  the  costly  (and  potentially 
untimely)  replacement  of  equipment  may  be  necessary. 

The  second  requirement  insures  that  all  software  developed  relative  to 
the  flight  control  system  is  addressed  through  this  specification,  in  order 
to  obtain  efficient,  consistent,  and  well  documented  software  implementation. 

3.1.10.4  Maintenance  personnel  safety  provisions.  After  this  paragraph,  add 
the  following  aB  a  new  paragraph: 

"3.1.10.5  Software  maintenance  and  verifiability.  Any  modification  to  system 
software  shall  be  evaluated  prior  to  implementation  on  an  aircraft  in  accordance 
with  the  appropriate  procedures  of  analysis,  inspection,  and  test  defined 
in  the  quality  assurance  section  of  this  specification.  To  aid  in  software 
maintenance,  safety,  and  reliability,  each  Programmable  Read  Only  Memory 
(PROM)  shall  reserve  one  word  (or  more)  to  serve  in  identification  of  the 
software  version  and  operational  flight  program  (OFP)  portion  contained 
within  the  PROM." 

Discussion 

Similar  to  other  maintenance  requirements  of  3.1.10,  this  requirement 
addresses  an  area  requiring  particular  attention. 

Because  of  the  Importance  of  software  maintenance  in  the  development  and 
operational  modification  of  a  digital  flight  control  system,  there  is  a 
need  for  established  service  procedures  to  insure  flight  safety.  In  addition, 
once  service  has  been  performed,  provisions  are  necessary  for  efficient 
verification  that  the  proper  version  of  software  has  been  implemented.  Thic 
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need  is  particularly  evident  with  the  advent  of  multi-role  aircraft  such  as 
the  F-18. 

40 

It  has  been  stated  that  maintenance  can  account  for  more  than  50 
percent  of  the  life  cycle  costs  of  software.  These  costs  include  both 
the  correction  of  software  errors  and  changes  necessary  for  system  improvement 
and  adaptation.  Because  of  the  significance  of  software  maintenance  costs, 
it  is  important  that  the  software  maintenance  procedures  be  well  thought  out 
and  not  only  safe  but  efficient.  Some  of  the  inputs,  tasks,  and  outputs 
relative  to  software  maintenance  are  listed  in  Table  1,  from  reference  40. 

TABLE  1.  SOFTWARE  MAINTENANCE. 


Inputs 


Tasks 


Outputs 


Software  documentation 


Develop  a  plan  for  I  Revised  software 

software  maintenance  I  documentation 


Software  code 


Test  procedures 

Change  control  procedures 


Review  change  control 
procedures  for  field  use 

Define  requalification 
procedures 


Revised  software 

Software  maintenance 
plan,  change  proce¬ 
dures,  and  retesting 
plans 


During  the  initial  phases  of  the  F-18  full  scale  development  program, 
software  changes  were  first  made  in  a  core  memory  program  and  flown  on  the 
flight  simulator  and  Iron  Bird.  Upon  satisfactory  demonstration,  PROM's  were 
burned  for  incorporation  In  flight  units.  Prior  to  ure  in  flight,  these  PROM's 
were  then  evaluated  with  the  flight  simulator  and  Iron  Bird. 

3.2.1  Pilot  controls  and  displays.  Line  5:  After  "with"  insert  "the  appli¬ 
cable  provisions  of  MIL-C-81774  and". 
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Discussion 


MIL-<!-81774  is  the  general  specification  for  aircraft  control  panels  and 
as  such  is  applicable  to  FCS  design.  It  must  therefore  be  referenced  in  this 
requirement. 

3.2. 1.1  Pilot  controls  for  CTOL  aircraft.  Line  4:  Delete  "Strict  adherence 
to  the  prescribed  location  and  maximum  range  of  motion  of  these  controls  is 
required. " 

Discussion 

The  reclining  angle  of  the  pilot's  seat  impacts  on  the  validity  of  dimen¬ 
sions  specified  in  DH  2-2,  SN  1(1)  and  makes  comparisons  more  academic  than 
practical.  The  application  of  control  concepts  such  as  force-feel,  side  arm, 
primary  hand  controllers,  dual  controls,  etc.,  will  make  it  additionally  diffi¬ 
cult  to  formalize  cockpit  arrangement  dimensions. 

Dimensions  applicable  to  cockpit  arrangement  of  controls  should  be 
included  in  the  design  specification  as  exemplary  of  recommended  values  to 
serve  as  a  guide.  Locating  dimensions  and  range  of  travel  of  flight  controls 
would  be  established  by  mockup  and  a  basic  dimension  control  drawing  subject 
to  approval  by  the  procuring  agency. 

3.2. 1.1. 5  Trim  switches.  Line  1:  Change  the  title  to  "Trim  controls." 

Line  5:  Delete  "MIL-S-9419"  and  substitute  "M1L-S-9419,  MIL-S-3950,  or 
MIL-S-6743". 

Line  5:  After  the  last  sentence,  add  "Knob  type  trim  controls  may  be 
used  for  proportional  trim  subject  to  approval  by  the  procuring  agency." 
Discussion 

The  additions  of  MIL-S-3950  and  MIL-S-6743  provide  for  coverage  of  trim 
switches  which  are  not  included  in  MXL-G-25561  and  MIL-S-9419.  The  reference 
to  trim  knobs  is  added  in  recognition  of  their  widespread  use  for  proportional 
trim. 
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3. 2. 1.1. 8  Normal  disengagement  means;.  Delete  the  entire  paragraph  and  sub¬ 
stitute  "Means  for  disengagement  of  all  AFCS  and  non-critical  MFCS  modes 
shall  be  provided  which  are  compatible  with  the  requirements  of  3. 1.9. 6. 
Disengagement  capability  for  flight  phase  essential  FCS  modes  shall  require 
approval  by  the  procuring  agency." 

Discussion 

To  assure  consistency  with  the  requirements  of  3. 1.3.2,  this  requirement 
should  apply  not  only  to  AFCS  modes,  but  also  to  all  non-critical  and  flight 
phase  essential  FCS  modes.  The  reference  made  to  compatibility  with  the 
requirements  of  3. 1.9. 6  does  not  provide  adequate  safeguards  relative  to 
disengagement  capability  for  flight  phase  essential  modes,  so  specific  approval 
by  the  procuring  agency  should  be  required. 

For  the  F-18  flight  test  aircraft  there  are  means  for  CAS  disengagement 
of  the  MFCS  in  three  separate  axes,  pitch,  roll,  and  yaw.  These  provisions 
allow  the  evaluation  of  degraded  modes.  This  disengage  capability  is  not 
Included  on  the  production  version;  however,  all  F-18  aircraft  will  have  a 
manual  over-ride  capability  of  the  flight  phase  essential  leading  and  trailing 
edge  flaps.  The  production  over-ride  switch  is  a  three  position  device  which 
allows  normal  automatic  operation  and  two  fixed  flap  settings  for  take-off  and 
landing. 

3.2. 1. A. 1  FCS  annunciation.  Line  1:  Delete  "panel  or  associated  panels"  and 
substitute  "panel,  associated  panels,  or  integrated  displays". 

Discussion 

The  intent  of  this  change  is  to  recognise;  the  trend  toward  use  of  inte¬ 
grated  displays  by  Including  these  as  acceptable  means  for  display  of  flight 
control  information. 

3.2. 1.4. 2. 2  Failure  status.  Line  4:  After  "crew"  insert  "of  systems  not 
necessary  for  flight  safety". 

Discussion 

The  last  sentence  of  the  Requirement  is  too  restrictive  In  that  it  prohi¬ 
bits  warning  annunciation  of  accidental  or  inadvertent  disengagement  of  systems 
affecting  safety  of  flight.  Future  aircraft  may  require  SAS  operation  to  assure 
at  least  level  III  flying  qualities. 
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3. 2. 1.4. 2. 3  Control  authority  annunciation.  Line  3:  After  "augmentation" 
insert  "or  manual  series  trim". 

Discussion 

The  requirement  needs  to  include  manual  series  trim,  as  a  failure  of  such 
trim  function  can  also  reduce  available  control  authority. 

3.2.3. 1  General  requirements.  Line  1:  After  the  title,  add  the  following: 
“Signal  transmission  between  control  system  elements  or  components  shall  be 
accomplished  by  direct  mechanical,  hydraulic,  pneumatic,  or  electrical  connec¬ 
tions  as  appropriate.  The  use  of  fiber  optic  technology  or  other  nonconven- 
tional  transmission  media  requires  specific  approval  of  the  procuring  agency." 
Discussion 

This  requirement  is  equivalent  to  the  requirement  of  3. 2. 4. 1.3.1  referring 
to  signal  transmission  between  computer  components.  The  intent  of  this  recom¬ 
mendation  is  to  make  the  requirement  applicable  to  all  flight  control  signal 
paths . 

As  stated  in  the  Background  Information  and  User  Guide,  the  requirement 
"is  not  intended  to  prohibit  the  use  of  nonconventional  transmission  paths, 
but  rather  to  ensure  that  the  contractor  has  fully  investigated  their  ability 
to  perform  essential  functions  reliably  and  can  present  substantiating  evidence 
for  approval  b  fore  committing  designs." 

3.2. 3. 1.4  Rigging  provisions.  After  the  second  sentence,  add  "Rigging 
positions  shall  have  a  built-in  method  of  travel  measurement  each  as  pro¬ 
tractors  or  scales  applied  to  an  external  surface,  bellcrank,  or  pulley. 
Whenever  possible,  rigging  positions  shall  be  independent;  of  each  other." 
Discussion 

Added  to  provide  easy,  more  rapid  and  repeatable  maintenance  method. 

3. 2. 3. 2. 4.1  Control  cable.  Change  paragraph  c.  to  read  "Non-flexible 
corrosion  resisting  steel  cable  in  straight  runs  or  Lockclad  (aluminum  tubing 
swaged  over  cable)  with  corrosion-resisting  cable  in  long  straight  runs 
only. " 

Discussion 


Added  to  allow  use  of  Lockclad. 


3.2.3.2.4.12  Falrleads  and  rubbing  strips.  Change  last  sentence  to 
"Fairlcads  shall  have  provisions  to  allow  cables  with  swaged  terminals  to  be 
threaded  through  them  with  a  minimum  of  effort  and  adjustments." 

Discussion 

Provides  general  method  rather  than  single  design  solution  called  out 
previously. 


3.2.3. 3. 1.2  Wire  terminations.  Line  1:  Delete  "(spade,  lug,  or  connector)". 
Discussion 

Words  in  parenthesis  disagree  with  previous  paragraph  which  forbids  use 
of  terminal  boards. 

3. 2. 3. 3. 2  Multiplexing.  Delete  the  entire  paragraph  and  substitute  the  fol¬ 
lowing: 

"Electrical  multiplexed  signal  transmission  shull  utilize  digital  time-division¬ 
multiplexing  techniques  and  u  twisted  shielded  pair  cable  as  the  multiplex  bus 
transmission  media.  The  multiplex  bus  line,  its  interface  electronics,  and  all 
aspects  of  information  transfer  via  the  data  bus  shall  comply  with  requirements 
of  MIL-STD-1553.  The  installation  of  multiplex  bus  cables  shall  be  according 
to  the  requirements  for  other  electrical  flight  control  (EFC)  interconnections 
as  specified  in  3. 2. 3. 3.1  and  subparagraphs.  The  use  of  fiber  optics  or  other 
nonconventional  transmission  media  for  the  multiplex  bus  shall  require  specific 
approval  of  the  procuring  activity." 

Discussion 

The  recommended  changes  are  intended  to  emphasize  three  points  concerning 
the  use  of  multiplexing  for  flight  control  signals. 

1.  A  distinction  is  made  between  electrical  signal  multiplexing  for  which 
MIL-STD-1553  was  designed  and  other  techniques  such  as  optical  mul¬ 
tiplexing  where  1553  would  be  inappropriate. 

2.  The  statement  regarding  compliance  with  MIL-STD-1553  is  broadened 
to  ensure  full  compliance  with  the  military  standard.  The  require¬ 
ment  as  stated  in  9490D  could  be  narrowly  interpreted  to  apply  only 
to  the  electrical  hardware. 

3.  The  statement  regarding  installation  of  multiplex  bus  cables  is  added 
to  emphasize  the  importance  of  isolating  and  protecting  data  buses 
when  used  to  transmit  essential  and  flight  phase  essential  signals. 
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3. 2. 4. 1.2  Interchangeability.  Line  3:  Change  "LRU"  to  ”SRU  (Shop 
repairable  unit)”. 
hi scussion 

This  amendment  recognizes  that  an  SRU  and  not  an  LRU  is  the  appropriate 
term  for  this  requirement. 

Readjustment  of  the  internal  parameters  following  replacement  of  an  SRU 
is  permissible  since  it  is  performed  in  a  controlled  environment  by  the 
appropriate  skill  level. 

Replacement  of  an  LRU  should  not  require  any  internal  resetting  of 
parameters  except  some  adjustment  in  the  aircraft  rigging  for  certain  types 
of  LRU  such  as  position  sensing  devices. 

In  any  case  the  allowable  tolerances  on  the  interchangeable  elements 
shall  be  such  that  failure  to  readjust  to  overall  system  tolerances  shall  not 
create  a  hazardous  condition. 

3.2.4. 3  Electrical  signal  computation 
Discuasion 

Since  the  MIL-F--9490D  User  Guide  was  issued,  much  literature  pertaining 
to  fly-by-wire  flight  control  systems  has  appeared.  References  2,  6,  9,  14, 
16,  40,  41,  42,  43,  and  44  are  some  of  the  sources  which  were  used  in  the 
preparation  of  this  report. 

An  Increasingly  important  aspect  of  fly-by-wire  flight  control  system 
technology  is  microprocessors.  Within  the  past  few  years  microprocessors 
have  grown  from  four  bit  controllers  to  16  bit  mini -computers  in  performance. 
The  advantage  of  using  microprocessors  is  that  the  inexpensive  hardware 
allows  high  levels  of  redundancy  at  reasonable  prices.  Some  are  becoming 
military  rated,  and  where  a  task  can  be  isolated,  a  dedicated  processor  is 
well  suited.  The  processor  can  do  a  reasonable  job  of  self  testing  without 
an  outside  reference. 
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The  basic  limitation  of  microprocessors  is  the  high  cost  of  customizing. 
While  most  of  the  comparisons  can  be  done  by  software,  occasionally  there  is 
a  need  for  hardware  voting.  This  must  be  added  or  performed  with  discrete 
hardware. 

A  necessary  and  useful  device  is  a  component  with  built-in  voters.  We 
could  utilize  a  hardwired  device  to  create  a  voter  signal  and  apply  that 
signal  to  a  particular  device.  However,  if  that  one  signal  to  the  device 
failed,  we  would  consider  it  a  common  point  failure.  If,  on  the  other  hand, 
the  "or"  and  "and"  voting  logic  was  built  into  the  device  (memory  chip)  arid 
the  voting  logic  failed,  it  would  be  considered  a  memory  failure,  not  a  common 
point  failure.  The  single  device  would  indeed  have  higher  reliability  than 
the  separate  devices,  but  the  main  point  is  that  the  perspective  changed  to 
consider  the  failure  to  be  of  a  different  type. 

The  critical  failure  modes  can  occur  in  the  bus  lines.  These  require 
bus  guardians  which  then  become  the  critical  failure  points.  For  these 
reasons  serial  lines  become  attractive. 

The  architecture  of  these  systems  is  in  an  experimental  stage  of  develop¬ 
ment.  In  a  few  years  there  will  undoubtably  be  some  established  preferences 
of  architecture. 

3. 2. 4. 3.1  Analog  computation.  Line  3:  After  the  first  sentence,  insert  "At 
the  time  of  aircraft  acceptance  by  the  procuring  agency,  a  25  percent  growth 
capability  for  computation  shall  exist  within  the  flight  control  system." 

Line  5:  After  the  last  sentence,  add  "Analog  signals  shall 
be  scaled  to  provide  satisfactory  resolution  arid  sensitivity  to  ensure 
continuous  safe  operation  for  all  possible  combinations  of  maneuvering 
demand  and  gust  or  other  plausible  disturbances,  and  to  prevent  unacceptable 
levels  of  nonlinear  characteristics  or  instabilities." 

Discussion 

The  need  for  adequate  growth  capability  and  proper  scaling  is  as  real  for 
analog  computers  as  for  digital.  The  inclusion  of  these  amendments  makes  the 
requirements  for  analog  computation  parallel  the  existing  requirements  for 
digital  computation. 
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One  of  the  improvements  of  the  F-16  aircraft  resulting  from  the  YF-16  ex¬ 
perience  was  a  rescaling  of  the  roll  stick  inputs.  The  benefits  of  this  im¬ 
provement  were  more  desirable  roll  response,  adequate  stability  margins,  and 

3 

prevention  of  pilot  induced  oscillations  during  power  approach  . 

3. 2. 4. 3. 2  Digital  computation.  Line  Is  Insert  as  the  first  sentence 
"Redundant  signal  computation  (in  particular,  redundancy  management)  shall  be 
implemented  as  required  by  the  flight  safety  and  failure  immunity  and  invul¬ 
nerability  requirements  specified  herein  to  prevent  propagation  of  failures 
across  channels." 

Line  4:  Delete  "Resident  and  bulk"  and  substitute  "Program 

and  workspace". 

Discussion 

As  discussed  in  the  redundancy  management  section,  it  is  necessary  to 

prevent  the  cross  channel  propagation  of  failures.  One  approach  has  been  the 

use  of  fiber  optics  for  multiplexed  cross  channel  communication.  Employed  on 

the  YC-14,  fiber  optics  possess  the  obvious  advantages  of  electrical  isolation, 

and  minimize  the  risk  of  external  sources  of  electromagnetic  interference  cor- 
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rupting  critical  cross  channel  signals 

The  use  of  the  words  program  and  workspace  provides  a  more  accurate  des¬ 
cription  of  the  use  of  storage  in  digital  computation. 

Since  the  D  version  of  this  specification  was  issued,  there  has  been  con¬ 
siderable  discussion  about  the  required  growth  capability  for  digital  computa- 
1  46 

tion  *  .  Apart  from  the  Air  Force,  the  discussion  was  typically  one-sided 

in  i  ,vor  of  eliminating  this  requirement.  Our  recommendation  is  to  retain 
the  requirement  as  it  now  stands.  It  is  recognized  that  at  the  time  of 
aircraft  acceptance  the  need  for  growth  is  not  only  desirable  but  necessary. 

It  is  also  realized  that  at  the  time  of  acceptance  the  percentage  growth 
figures  are  subject  to  compromise  when  traded  off  against  desired  aircraft 
performance. 

Therefore  the  requirement  for  growth  is  pertinent  and  desirable  and  should 
be  retained.  The  percent  values  could  be  modified,  but  there  appears  to  be  no 
basis  for  replacing  one  somewhat  arbitrary  value  with  another. 
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For  the  AFTI-F-16  program,  the  FCS  operational  flight  program  is  designed 
to  execute  within  70  percent  allocated  memory  and  75  percent  duty  cycles;  this 
is  sufficient  to  permit  growth. 

In  the  DIGITAC  program,  which  used  approximately  73  percent  of  the  total 
memory  available,  a  final  design  aspect  of  the  digital  software  was  modulariza¬ 
tion  to  permit  partitioning  of  the  original  programming  task.  This  allowed 
the  debugging  and  validation  of  the  software  changes  to  be  greatly  simplified 
during  the  flight  test  evaluation.  It  also  permitted  software  changes  to  be 
accomplished  more  easily  and  in  less  time.  A  further  discussion  of  this  con¬ 
cept  and  a  description  of  the  modules,  identified  as  computer  program  compo¬ 
nents,  can  be  found  in  reference  5. 

In  both  the  space  shuttle  and  F-18  programs  the  impact  of  transport  lags 
has  been  felt.  While  transport  lags  are  not  attributable  to  digital  computa¬ 
tion  alone,  the  implementation  of  digital  computation  plays  a  critical  role  in 
both  the  creation  and  the  solution  of  transport  lag  problems. 

It  is  of  interest  to  note  that  in  the  F-18  flight  control  system  develop¬ 
ment,  the  preliminary  design  was  based  on  a  continuous  system.  For  this  system 
the  design  goal  for  all  control  loops  was  a  gain  margin  of  at  least  10  db  and 
a  phase  margin  of  at  least  45  degrees. 

3. 2. 4. 3. 2.1  Memory  protection 

3  •  2  *  4 . 3  •  2 . 2  Program  scaling 
Discussion 

As  discussed  in  the  system  test  and  monitoring  section,  there  is  a  need 
for  nonvolatile  memory  which  can  record  in-flight  failures,  transient  failures, 
and  system  status.  This  memory  must  he  protected  in  a  way  that  insures  sur¬ 
vivability  in  the  event  of  loss  of  the  aircraft.  For  the  AFTI-F-16  program 
nonvolatile  memory  is  required  to  retain  stored  data  for  a  minimum  of  one  year 
under  any  combination  of  presence  and  absence  of  power. 

The  application  of  EPROM's  for  flight  testing  is  becoming  more  widespread. 
They  have  been  used  successfully  on  the  YC-14  program  and  are  planned  for 
implementation  in  the  AFTI-F-16  program,  in  which  the  memory  protection  require¬ 
ments  are  in  complete  compliance  with  this  specification.  The  use  of  EPROM's 
is  addressed  in  the  discussion  of  software  maintenance. 
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In  the  initial  phase  of  flight  testing  for  the  F-18,  plug-in  PROM's  were 
employed  in  the  flight  control  computers.  They  were  replaced  by  PROM's  hard¬ 
wired  to  the  boards  when  it  became  apparent  that  the  plug-in  PROM's  did  not 
provide  adequate  reliability  in  an  operational  environment. 

Program  scaling  is  necessary  in  fixed  point  computers  for  protection 
against  overflows  in  digital  computation.  Computers  are  now  being  developed 
(e.g.,  in  the  AFTI-F-16  program)  which  have  the  ability  to  limit  automatically 
the  results  of  addition,  subtraction,  multiplication,  division,  and  arith¬ 
metic  shift  operations  that  would  otherwise  have  overflowed^. 

3.2.4. 3.2.3  Software  support.  Line  1:  Change  the  title  to  "Software  devel¬ 
opment  and  support." 

Line  1:  Delete  "For  programmable  computers  a  software"  and 
substitute  "A  software". 

Line  1:  Insert  as  the  first  three  sentences  "For  programmable 
computers  system  software  shall  be  developed  and  controlled  in  accordance 
with  specifications  prepared  by  the  contractor  and  approved  by  the  AF  in 
accordance  with  MIL-STD-490  and  as  supplemented  by  MIL-STD-483.  Definition 
of  the  software  development  plan  shall  be  contained  in  the  computer  program 
development  plan  (CPDP)  outlined  in  requirement  4.4.1  of  this  specification. 

This  software  will  constitute  the  operational  flight  program  (OFP)  portion  of 
the  Computer  Program  Configuration  Item  (CPCI)." 

Line  7:  At  the  end  of  the  last  sentence,  change  the  period 
to  a  comma  and  add  "and  shall  encompass  the  software  maintenance  requirement 
3.1.10.5." 

Discussion 

The  title  of  this  section  was  modified  to  reflect  the  fact  that  software 
for  digital  computation  requires  both  development  and  support,  and  that  the 
two  are  complementary. 

The  reference  to  MIL-STD-490  and  MIL-STD-483  places  this  specification 
in  compliance  with  those  specifications  as  required  by  AF  procedures.  The  in¬ 
clusion  of  this  requirement  was  endorsed  in  the  Digital  Flight  Control  Software 
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Validation  Study  and  implemented  in  the  AFTI  program. 

The  software  development  plan  establishes  the  actions  and  procedures  that 
will  be  followed  during  the  software  development  cycle.  The  plan  also  describes 
the  phasing  of  the  development  activity,  the  structure  and  responsibility  of 
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software  organization,  the  engineering  development  test  requirements,  the 
overall  software  verification  and  validation  process,  the  documents  required 
and  their  format,  the  methods  for  controlling  changes  during  the  development 
process,  ana  other  factors  significant  in  the  development  effort.  The  develop¬ 
ment  plan  can  be  organized  into  several  sections  that  describe  the  particular 
aspects  of  the  development  cycle,  such  as  '  se  shown  in  Figure  3,  an  example 
of  a  software  system  development  cycle. 

It  is  necessary  for  the  software  support  package  to  address  specifically 
the  software  maintenance  requirement  because  of  the  importance  of  the  software 
support  package  relative  to  proper  software  maintenance. 

References  40,  47,  48,  49,  50,  and  51  pertain  to  planning  for  software 
quality  and  software  verification,  validation,  and  control  procedures. 

3. 2. 4. 3. 2. 3:  After  this  paragraph,  add  the  following  as  a  new  paragraph: 

"3. 2. 4. 3. 3  Computational  input/output  growth  capability.  In  the  implementa¬ 
tion  of  an  analog  or  digital  computer  for  electrical  signal  computation,  the 
input/output  growth  capability  shill  be  consistent  with  the  growth  capability 
of  the  computer  and  the  computer  connector  reserve  capacity.” 

Discussion 

This  requirement  is  consistent  with  the  reserve  for  growth  that  is  speci¬ 
fied  for  analog,  and  digital  comp  itation  and  the  connector  reserve  capacity. 

It  serves  to  ■  old  a  bottleneck  in  signal  transmission. 

This  parallels  requirements  in  the  AFTI-F-16  Development  and  Integration 
Program^  in  which  a  20  percent  growth  capability  is  specified  for  analog 
and  digital  input  and  output  signals. 

3.2.6  Actuation 
Discussion 

While  the  state  of  the  art  for  actuation  has  progressed  since  the  speci¬ 
fication  and  User  Guide  were  irsued,  the  actuation  requirements  appear  quite 
sufficient  with  little  need  for  amendments. 

References  52,  53,  54,  55,  56,  and  57  provide  a  cross-section  of  some  of 
the  work  which  has  been  done  since  that  time.  The  topics  include  design 
objectives  for  improved  actuation,  direct  drive  control  valves,  electrical 
actuation  concepts,  and  8000  psi  hydraulic  control  systems.  Reference  57  is 
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SPECIFICATION 


MAINTENANCE 


an  Air  Force  Technical  Memorandum  which  addresses  the  general  design  cri¬ 
teria  for  hydraulic  power  operated  aircraft  flight  control  actuators. 

3. 2. 7. 3. 2  Microelectronics.  Delete  the  entire  paragraph  and  substitute 
"Microelectronic  devices  conforming  to  the  provisions  of  MIL-M-38510  and 
available  from  qualified  sources  shall  be  used  in  preference  to  other  similar 
devices. " 

Discussion 

The  use  of  specially  designed  and  newly  developed  microelectronic  devices 
in  the  YF-17  flight  control  el  ctronics  was  necessary  to  achieve  the  minimal 
size,  weight,  and  power  design  objectives  for  these  electronic  assemblies. 

If  the  selection  of  devices  had  been  limited  to  microcircuits  qualified  to 
MIL-M-38510,  severe  size,  weight,  and  power  penalties  would  have  resulted,  and 
possibly  some  compromises  in  functional  performance.  The  time  span  required  to 
qualify  a  microelectronic  device  to  MIL-M-38510  is  so  long,  and  the  evolution 
of  microcircuit  technology  is  so  rapid  that  often  by  the  time  a  particular 
device  is  qualified  it  is  obsolete.  The  unamended  requirement  limits  the  Air 
Force  in  its  application  of  state-of-the-art  technology. 

The  amended  requirement  provides  an  opportunity  for  flexibility  in  the 
implementation  of  microelectronics  for  future  aircraft  procurement,  and  con¬ 
forms  with  the  recommendation  in  the  User  Guide,  which  states:  "The  use  of 
microelectronic  ‘"'chnology  should  be  considered  in  the  design  of  all  systems/ 
equipment.  An  ol  tive  appraisal  of  all  factors  concerning  the  system/equip- 
ment  design  should  ae  made  with  the  view  of  maximizing  reliability  and  mini¬ 
mizing  total  cost  of  ownership,  weight,  and  space  within  the  envelope  of  the 
other  performance  parameters  of  the  design.” 

3.2. 7.3.3  Burn-in.  Line  1:  After  "50”  insert  "power-on". 

Discussion 

This  amendment  provides  a  definitive  approach  to  electronic  LRU  burn-in 
to  insure  reliability  and  acceptability. 
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4.  QUALITY  ASSURANCE 


4.1.1  Methods  for  demonstration  of  compliance. 

Line  6:  After  the  last  sentence,  add  "As  applicable,  soft¬ 
ware  shall  conform  to  MIL-S-52779  and  MIL-STD-1521. " 

Discussion 

MIL-S-52779,  Software  Quality  Assurance  Requirements,  and  MIL-STD-1521, 
Technical  Reviews  and  Audits  for  Systems,  Equipment,  and  Computer  Programs, 
are  DOD  documents  approved  for  use  by  all  departments  and  agencies  of  the 
Air  Force,  and  are  therefore  referenced  in  this  specification.  The  standard¬ 
ization  of  software  procedures  and  documentation,  and  the  goal  of  a  common 
DOD  software  language,  provide  the  greatest  opportunity  for  increased 
efficiency  in  system  acquisition. 

4. 1.1.1  Analysis.  Line  3:  After  "linear  or  nonlinear"  insert  ".deterministic 
or  probabilistic  in  nature". 

Line  4:  Delete  "as  defined  by  the  FCS  development  plan", 
and  substitute  "as  best  suited  and  adequate  for  the  application.  Where  test 
verification  is  limited  by  test  sample  considerations  or  is  clearly  inadequate, 
compliance  shall  be  verified  by  the  appropriate  analytical  techniques.  The 
analytical  methods  to  be  employed  shall  be  defined  in  the  FCS  development 
plan  in  accordance  with  4.4.1." 

Discussion 

The  analysis  required  for  the  design  of  flight  control  systems  today 
goes  beyond  the  methods  normally  associated  with  linear  and  nonlinear  analyses. 
In  order  to  imply  the  wider  range  of  analytical  techniques  that  may  be 
required,  the  words  deterministic  and  probabilistic  were  added.  The  intent 
of  the  change  was  to  encompass  not  only  the  usual  linear  and  nonlinear 
analytical  control  techniques,  which  may  or  may  not  be  stochastic  in  nature, 
but  also  a  sas  of  analysis  which  may  fall  partially  or  completely  outside  the 
realm  of  mathematics,  such  as  failure  mode  effect  analysis  and  software 
verification  and  validation. 

It  is  the  intent  of  the  change  in  the  requirement  to  point  out  that  the 
analytical  methods  to  be  used,  as  prescribed  by  the  FCS  development  plan, 
should  be  appropriate  for  the  problems  to  which  they  are  to  be  applied. 
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4. 1.1. 2  Inspection.  Line  7:  After  the  second  sentence,  insert  "Where 
applicable,  flight  control  system  software  specifications,  documentation, 
and  analyses  shall  be  inspected  or  reviewed  as  part  of  the  verification 
process. " 

Discussion 

Without  the  amendment  the  requirement  is  not  up  to  date  in  that  it 
addresses  inspection  only  in  terms  of  hardware,  with  no  mention  of  the  very 
real  need  for  inspection  of  software. 

Where  digital  implementation  is  employed,  visual  inspections  and  walk¬ 
throughs  need  to  be  performed  at  appropriate  points  during  the  development 
cycle.  Various  types  of  documentation,  in  addition  to  the  actual  flight 
code  of  the  operational  program,  can  benefit  from  these  walk-throughs,  which 
are  usually  done  by  multidisciplinary  teams  which  can  bring  varied  perspec¬ 
tives  to  assess  the  emerging  software.  Such  inspections  have  proven  to  be 
effective  in  the  timely  elimination  of  many  types  of  software  problems. 

4. 1.1.3  Test.  Line  1:  Delete  "maximum  extent  feasible"  and  substitute 
"extent  required". 

Line  3:  After  "shall  include"  insert  "hardware  tests  and, 
where  applicable,  software  verification  tests  in". 

Discussion 

The  initial  phase  of  this  requirement  was  modified  to  point  out: 

a)  The  need  to  consider  program  objectives  in  deciding  the  level  of 
testing  required.  Because  of  the  differences  in  prototype  development, 
full  scale  development,  and  pilot  production  programs,  the  extent  of  testing 
feasible  may  be  beyond  the  scope  of  testing  required. 

b)  Following  some  system  modifications,  the  retesting  required  can  be 
significantly  less  than  the  retesting  feasible. 

c)  A  test  may  be  feasible,  but  not  necessarily  desirable  when  taken  to 
the  maximum  extent.  For  example,  the  practical  limitations  of  cost  and  time 
on  the  realizability  of  thorough  or  exhaustive  testing  of  software  must  be 
taken  into  account  when  deciding  on  the  extent  of  testing  required.  When 
such  a  case  arises,  an  effective  application  of  analysis  is  required  for  the 
interpretation  of  test  results  so  that  a  required  confidence  level  of  per¬ 
formance  is  achieved. 
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The  second  modification  to  the  requirement  is  to  recognize  the  fact 
that  software  verification  and  validation  is  a  test,  and  that  this  requirement 
needs  to  address  specifically  the  issue  of  software. 

4.2  Analysis  requirements.  Line  6:  After  the  second  sentence,  insert  "In 
cases  of  digital  flight  control  applications,  validation  shall  require 
comparison  to  simulation  or  emulation  results  obtained  through  the  use  of  a 
general  purpose  machine.  Where  digital  mechanization  is  involved  in  the 
flight  control  system,  the  simulation,  or  both,  pre-analysis  of  the  simulation 
mechanization  is  required  to  assess  its  validity.  The  artifacts  introduced 
by  the  simulation  mechanization  used  shall  be  investigated  to  assess  and 
minimize  their  effects  on  the  simulation  results. 

Discussion 

The  inclusion  of  digital  flight  control  verification  and  validation 
analysis  requirements  in  this  section  maintains  the  comprehensive  intent  of 
this  paragraph. 

In  an  operational  flight  program  for  a  digital  flight  control  system, 
simulation  will  be  required  to  evaluate  such  areas  ac  integration  techniques, 
filter  implementations,  iteration  intervals,  and  failure  isolation  and 
switching.  Emulation  can  serve  in  the  early  stages  of  design  to  evaluate  the 
effect  of  interrupts  and  the  implementation  of  background  tasks. 

4.2.1  Piloted  simulations.  Line  2:  Delete  the  period  at  the  end  of  the  first 
sentence  and  insert  "to  define  and  verify  required  functional  characteristics 
and  to  evaluate  degraded  mode  effects.  The  piloted  simulation  plan  shall  be 
defined  in  the  FCS  development  plan." 

Under  line  5:  Add  the  following: 

"  c.  Piloted  simulations  for  digital  flight  control  systems  prior  to 
each  flight  preceded  by  major  software  modifications." 

Discussion 

For  definition  and  clarity  it  is  necessary  for  this  requirement  to 
discuss  the  two  critical  areas  of  FCS  development  which  utilize  piloted 
simulation.  Further,  it  should  be  noted  that  the  simulation  plan  will  be 
defined  in  the  FCS  development,  as  was  done  in  the  AFTI-F-16  FCS  development 
plan. 
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The  requirement  for  piloted  simulations  following  major  software 
modifications  places  the  same  emphasis  on  major  software  modif icationa  as 
on  FCS  hardware  before  its  first  inflight  operation. 

Software  modifications  in  general  will  introduce  some  unknowns  into  the 
computer  structure.  Rather  than  proceed  through  a  complete  reverification 
following  software  modifications,  piloted  simulations  can  be  performed  to 
find  any  major  or  critical  problems  before  beginning  flight  tests.  To  date, 
this  approach  has  been  successfully  implemented  in  the  F-18  program. 

In  the  application  of  piloted  simulation  to  the  evaluation  of  the  FCS 
development,  it  is  paramount,  particularly  for  fighter  aircraft,  that  the 
simulation  go  beyond  1-g  flight.  The  simulation  must  address  critical 
areas  such  as  high  angle  of  attack,  P10,  and  landing  tasks;  and  areas  where 
the  aerodynamics  are  uncertain,  such  as  departure. 

In  view  of  the  potential  importance  of  motion  cues  in  evaluating  handling 
characteristics  and  failure  effects  in  these  critical  areas,  a  portion  of  the 
piloted  simulation  for  highly  maneuverable  aircraft  may  need  to  be  conducted 
on  a  motion-based  simulator. 

4. 3. 1.2  Acceptance  tests.  Line  2:  After  the  first  sentence,  add  "Where 
interfacing  components  of  the  FCS  are  procured  from  various  sources,  sufficient 
acceptance  testing  shall  be  performed  to  ensure  overall  system  performance 
repeatability. " 

Discussion 

With  the  advent  of  comprehensive  built-in  test  and  inflight  monitoring 
in  modern  aircraft,  the  potential  for  interface  problems  between  FCS  components 
exists  as  a  result  of  the  levels  of  sensitivity  within  the  components.  This 
requirement  serves  to  insure  proper  integration  during  the  development  phase 
and  to  establish  the  allowable  tolerances  of  interfacing  components. 

This  interface  problem  is  typified  for  fly-by-wire  flight  control 
systems  by  the  need  of  the  flight  control  computer  vendor  to  have  integrated 
servoactuator  packages  or  sensors  on  the  premises  during  development  to 
verify  that  acceptable  interfacing  is  achieved. 
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4.3.2. 1  Component  tests.  Line  11:  After  the  last  sentence,  add  “Component 
modifications  to  the  original  configuration  shall  be  requalified  by  using  the 
appropriate  verification  method  from  those  listed  above." 

Discussion 

The  area  of  requalification  of  components  following  modification  needs 
to  be  addressed  within  the  specification. 

4. 3. 2. 2  Functicnal  mockup  and  simulator  tests.  Under  line  34:  Add  the 
following: 

“g.  Temperature  variation  tests  duplicating  normal  operation  or  failure 
of  temperature  regulating  elements  shall  be  performed  on  components  whose 
performance  is  determined  to  be  sensitive  to  variations  in  temperature." 
Discussion 

While  the  application  of  item  g.  is  relevant  to  the  overall  fligh :  control 
system,  it  is  a  consequence  of  the  potential  thermal  effects  on  electrical 
signal  computation. 

As  aircraft  designs  continue  to  place  more  capability,  power,  and 
performance  into  smaller  integrated  packages  with  space  at  a  premium,  the 
thermal  environments  within  these  packages  become  ever  more  hostile  for 
electrical  flight  control  components.  It  is  essential  that  the  effect  of 
these  environments  on  the  flight  control  system  be  known,  particularly  as 
they  affect  the  reliability  and  performance  of  digital  flight  control  systems, 
and  redundant  systems  in  general. 

4.3.3  Aircraft  ground  tests.  Line  3:  Delete  ”6  db”. 

Line  8:  After  the  last  sentence  of  item  a.,  insert  "For 
redundant  and  multiple-loop  systems,  the  stability  requirement  in  degraded 
configurations  shall  also  be  demonstrated." 

Under  line  19:  Add  the  following  paragraphs: 

"e.  Ground  vibration  tests  with  active  controls  using  soft  suspension 
system  to  simulate  free-free  condition.  Flight  control  sensor  outputs  and  open 
loop  frequency  response  data  shall  be  recorded  for  correlation  with  analytical 
results  used  in  predicting  servoelastic  and  aeroservoelastic  stability, 
f.  Taxi  tests  with  increasing  speed  and  all  feedback  loops  closed  to 
examine  servoelastic  stability  above  zero  airspeed.  Flight  control  sensor 
outputs  and  control  surface  deflections  shall  be  recorded." 
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Discussion 


The  requirement  for  6  db  stability  margin  at  zero  airspeed  is  removed  to 
achieve  consistency  with  the  flexibility  afforded  by  the  requirements  of 
3. 1.3. 6,  and  in  response  to  the  concerns  expressed  in  reference  23.  For  first 
flight  of  an  aircraft  type,  different  gain  margins  may  be  applied  for  rigid 
body  limit  cycle  and  ground  structural  resonance  stability,  depending  on  the 
relative  confidence  in  the  predicted  aerodynamic,  aeroelastic,  and  structural 
mode  characteristics. 

Paragraph  e.  is  added  in  concert  with  the  recommendations  of  references 
21  and  58.  Reference  58  documents  the  extensive  ground  vibration  testing  and 
analysis  correlation  effort  conducted  on  the  YF-16  under  a  research  contract 
to  improve  test  methodology  on  fighter  aircraft  with  active  controls.  This 
effort  led  to  the  conclusion  that  the  mathematical  model  used  in  aeroservo- 
elastic  stability  analysis  can  be,  and  must  be,  validated  or  improved  by  GVT 
with  active  controls. 

Paragraph  f.  is  added  to  reflect  the  recommendation  of  reference  21. 

This  requirement  does  not  add  to  the  set  of  tests  already  performed  prior 
to  first  flight,  but  increases  the  utility  of  the  taxi  test  to  provide  addi¬ 
tional  confidence  relative  to  servoe.lastic  stability.  The  random  inputs  dur¬ 
ing  taxi  provide  excitation  of  the  structural  modes  and  evoke  control  system 
responses  similar  to  those  in  the  low  speed  flight  environment. 

In  view  of  the  recent  experiences  with  the  YF-16  and  YF-17  aircraft,  air¬ 
craft  ground  tests,  however  extensive,  can  no  longer  be  considered  adequate  to 
insure  stability  in  flight  for  state-of-the-art  structures  and  flight  control 
designs.  Analysis,  ground  tests,  and  flight  test  evaluation  are  mandatory  to 
achieve  this  end.  However,  the  usefulness  of  ground  tests  remains  undeni¬ 
able  as  a  necessary  ingredient  of  the  overall  process. 

Reference  23  provides  an  excellent  synopsis  of  stability  margin  tests 
conducted  on  a  variety  of  research,  prototype,  and  production  aircraft  with 
appropriate  conclusions  and  recommendations  added. 

With  the  increasing  use  of  digital  flight  control  systems  and  redundant 
system  implementations,  both  analog  and  digital,  several  new  considerations 
came  into  focus  and  need  to  be  addressed  as  part  of  the  overall  stability 
problem.  Redundant  actuation  loops  with  input  equalization  of  multiple  feed¬ 
backs  may  lead  to  non-aerodynamic  loop  instability  due  to  beat  frequencies 
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resulting  from  feedback  sensor  excitation  differences  and  equalization  network 
characteristics.  The  presence  of  digitizing  in  the  actuation  driver  acts  as 
a  high  frequency  excitation  in  digital  flight  control  implementations  and  may 
also  result  in  a  buzz  or  non-aerodynamic  loop  instability. 

Redundant  and  multiple  loop  systems,  where  any  control  law  or  computational 
reconfiguration  occurs  following  specific  failures,  must  be  evaluated  in  the 
degraded  states  to  insure  the  required  minimum  stability. 

Finally,  the  importance  of  analytical  modeling  techniques  relative  to 
actual  flight  control  system  implementation  is  highlighted  in  reference  24, 
the  report  on  the  DIGITAC  development  and  evaluation.  Significant  phase  lags, 
attributed  to  sampling  effects,  were  found  in  the  actual  system  relative  to 
earlier  linear  simulation  results,  with  an  attendant  degradation  in  limit  cycle 
stability  characteristics.  By  their  nature,  digital  systems  also  incorporate 
numerous  linear  filter  stages,  such  as  aliasing  filters,  smoothing  filters, 
and  sample-hold  characteristics,  that  are  not  required  in  analog  systems  and 
need  to  be  accounted  for  in  any  simulation  of  digital  systems. 

In  addition  to  exploring  some  of  the  impacts  of  digital  flight  control 
implementation,  reference  24  documents  one  of  the  most  extensive  ground  test 
programs  ever  performed  on  an  aircraft,  and  provides  a  valuable  guide  toward 
planning  a  test  program  for  a  multi-loop,  highly  complex  control  system. 

4.4.1.  Flight  control  system  development  plan.  Under  line  26:  Add  the 
following: 

"h.  Where  applicable,  a  computer  program  development  plan  (CPDP)  to 
define  how  the  flight  software  is  to  be  developed,  documented,  controlled, 
and  verified,  including  specific  documentation  stages  as  they  relate  to 
computer  hardware  design  and  overall  flight  control  system  development  and 
verification.  AFR-800-14  shall  be  used  for  guidance  in  the  development  of 
the  CPDP,". 

Discussion 

The  minimum  list  of  elements  to  be  included  in  the  flight  control  system 
development  plan  is  quite  extensive,  but  none  of  these  specifically  address 
any  of  the  aspects  of  digital  implementation.  This  may  serve  to  maintain 
the  generality  of  the  stated  provisions;  nonetheless,  the  section  seems  to  be 
where  the  overall  integrated  V&V  methodology  should  be  specified. 
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The  FCS  development  plan  needs  to  address  the  software  verification  and 
validation  procedures  for  digital  flight  control  implementations.  These 
procedures  in  turn  will  be  detailed  further  in  the  computer  program  development 
plan.  Where  flight-critical  or  flight-phase  critical  functions  are  involved, 
the  V&V  plans  should  reflect  an  integrated  methodology.  An  example  of  this 
methodology  is  described  in  AFFDL-TR-79-307639. 

Vol.I,  Management  of  Computer  Resources  in  Systems,  and  Vol.  II, 
Acquisition  and  Support  Procedures  for  Computer  Resources  in  Systems,  of 
AFR— 800-14  specifically  address  policies  required  for  the  development  of 
computer  programs  and  requirements  that  apply  throughout  a  system's  life 
cycle. 

4.4.3. 1  FCS  analysis  report.  Line  1;  Delete  the  first  sentence  and  sub¬ 
stitute  "The  contractor  shall  prepare  a  report  describing  FCS  analysis." 

Under  line  43:  Add  the  following: 

"j.  Where  applicable,  a  comprehensive  system-oriented  description  of  the 
flight  software  with  regard  to  its  design,  implementation  and  analytical 
evaluation.  Representations  shall  be  oriented  toward  understandability  of 
various  types,  aspects,  or  functions  of  the  software." 

Discussion 

The  rationale  for  the  first  amendment  to  this  section  is  covered 
in  the  discussion  of  section  4.4. 

With  the  importance  of  software  for  digital  flight  control  applications, 

It  is  essential  that  there  be  specific  provisions  which  call  for  particular 
V&V  methodology  results  in  the  FCS  analysis  report.  These  results  would 
include  software  analyses,  documentation,  backup  data,  etc.,  along  with 
descriptions  of  their  nature,  origins,  and  significance. 

4. 4. 3. 3  FCS  test  report.  Under  line  18:  Add  the  following: 

"d.  Where  applicable,  a  summary  of  flight  software  testing  over  the  range 
of  conditions  addressed  on  a  system  level.” 

Discussion 

Similar  to  the  reasons  stated  in  the  discussion  of  section  4.4. 3.1,  the 
FCS  test  report  needs  to  include  the  test  data  related  to  the  verification 
and  validation  methodology  applied  to  the  flight  control  software.  In  the 
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6. 


NOTES 


6.6:  After  the  definition  of  "Extremely  remote”  insert  the  following: 

"Fail  operational.  The  capability  of  the  FCS  for  continued  operation 
without  degradation  following  a  single  failure,  and  to  fail  passive  in 
the  event  of  a  related  subsequent  failure. 

Fail  passive.  The  capability  of  the  FCS  to  automatically  disconnect  and 
to  revert  to  a  passive  state  following  a  failure.  Allowable  failure 
transient  or  out  of  trim  condition  is  to  be  within  the  limits  as 
established  for  the  particular  procurement. 

Fail  safe.  The  capability  of  the  FCS  in  a  single  channel  mode  of 
operation  to  revert  to  a  safe  state  following  an  automatic  disconnect  in 
the  event  of  a  failure  or  pilot  initiated  disconnect.  Safe  state  may  be 
achieved  by  authority  limiting  and  positive  removal  of  actuation  motive 
power.  The  allowable  authority  limits  need  to  be  established  to  provide 
the  desired  performance  objectives  and  in  consideration  of  structural 
design  limits  and  safe  recovery  characteristics." 

Discussion 


Refer  to  the  3. 1.3.1  paragraph  discussion  in  this  document. 
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